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Chapter 1 


Introduction 


One of the research areas of great importance in Computer Science is the study of the 
semantics of concurrent reactive systems HHP85H . These are systems that compute by 
interacting with their environment, and typically consist of several parallel components, 
which execute simultaneously and potentially communicate with each other. Examples of 
such systems range from rather simple devices such as calculators and vending machines, 
to programs controlling mechanical devices such as cars, subways or spaceships. In light 
of their widespread deployment and complexity, the application of rigorous methods for 
the specification, design and reasoning on the behaviour of reactive systems has always 
been a great challenge. 

One possible approach to formally handle reactive systems is to use a “common language" 
for describing both the actual implementations and their specifications. When following 
this technique, checking whether an implementation and its specification describe the 
same behaviour reduces to proving some notion of equivalence/preorder between their 
corresponding descriptions over the chosen language. This procedure is also referred to 
as “equivalence checking”. 

Intuitively, we say that an implementation complies to its specification whenever the 
implementation displays only the behaviour allowed by the specification, and nothing 
more. However, it is important to notice that system verification can be performed at 
different levels of abstraction, with respect to non-determinism, for example, depend¬ 
ing on the context of application. In this regard, we refer to a suite of semantics that 
are thoroughly studied throughout this thesis, namely: bisimilarity I MP811 lMi!89ll - 
the standard notion of behavioural equivalence in concurrency -, the spectrum of dec¬ 
orated trace semantics in van Glabbeek’s work I vGOlall . and must and may testing se¬ 
mantics HCH891 [DH841 IHen88H . 

Along time, different mathematical frameworks have been exploited for modelling reac¬ 
tive systems and their behaviours, and for deriving efficient verification algorithms for 
their computer-aided analysis. In the sequel, we provide a short overview on two of such 
“dual” frameworks: algebra I BS121IHen88H and coalgebra HJR971 IRutOOH . 
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Chapter 1. Introduction 


1.1 Algebra 

Algebraic process theories, or “process algebras", have been successfully used as pro¬ 
totype specification languages for reactive systems. Typically, the definition of process 
algebras consists in providing a syntax and an operational semantics, usually given in 
terms of so-called Structural Operational Semantics (SOS) rules [ |Plo04H . Intuitively, SOS 
is a framework used for describing how programs compute step by step, by emphasising 
the corresponding state-transformations that occur after the execution of certain actions. 
Once a desired notion of behavioural equivalence or preorder over processes is fixed, a 
corresponding sound (and ideally complete) axiomatisation is given. This way, one can 
establish the conformance of an implementation with its specification in an equational 
style, without generating the state space of processes, therefore potentially combatting 
the state explosion problem. We hint, for example, to the works in | ABV94 1 and (BdV04ll , 
where sound and complete axiomatisations for bisimilarity of systems complying to the 
GSOS I BIM95 1 format and GSOS with termination, respectively, are provided. 
Unfortunately, this approach has low flexibility as regards language modifications, ax¬ 
iomatisations are usually shown sound and complete by means of proof techniques that 
take into account the combinators of the language under consideration; hence new syn¬ 
tactical constructs frequently impose new proofs (from scratch). Consider, for instance, 
the work in HACEIIllH extending the results in [ABV94] to the case of GSOS with predi¬ 
cates such as termination, divergence and convergence. Even though syntactically trivial, 
the extension required the construction of a new axiomatisation that had to be proven 
sound and complete (which is often not a trivial task). 

However, as soon as an axiomatisation is identified, the implementation of a verification 
tool based on equational reasoning is almost straightforward. We refer, for example, 
to the automated tool in [ ACGI11 1 which can be used for reasoning on bisimilarity of 
systems complying to the extended GSOS format in HACEII1 11 1. 

Moreover, in the algebraic setting, SOS rules can be used not only for specifying the 
behaviour of systems in an intuitive fashion, but also for imposing a series of (syntac¬ 
tic) constraints to guarantee that a certain notion of behavioural equivalence (or pre¬ 
order) for systems satisfying the aforementioned restrictions is also a (pre)congruence. 
Semantics which are also (pre) congruences are important from the practical perspective 
as well. Intuitively, whenever a subcomponent of a system is replaced, showing the equiv¬ 
alence between the new “upgraded” system and the initial one, with respect to a notion of 
(pre) congruence, reduces to showing the equivalence between the two subsystems that 
have been interchanged. This way, the complexity of the verification procedure is obvi¬ 
ously reduced. In this respect, we refer, for instance, to the GSOS HBIM95] format which 
guarantees that bisimilarity is a congruence. In related work HBFvG041l , precongruence 
formats for decorated trace semantics HvGOlall were established via modal characterisa¬ 
tions of the corresponding preorders. 


1.2 Coalgebra 

A possible representation of implementations and their specifications is in terms of state 
machines. These allow for a uniform manipulation of systems such as: streams I Rut05 1, 
(non)deterministic and probabilistic automata [ RS591 lRab80 1. Moore llMoo56l1 and 
Mealy HMea55H machines, and labelled transition systems [|Kel76B . 
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Coalgebra | JR97l [RutOO l is a recent unifying theory combining ideas from the mathemat¬ 
ical theory of dynamical systems and from the theory of state-based computation, and 
has been successfully applied as a mathematical framework for the study of state-based 
systems. Intuitively, from the coalgebraic perspective, systems with (possibly) infinite be¬ 
haviour are represented as black-box machines analyzed only according to their observ¬ 
able behaviour. Mathematically, one can describe such a machine in terms of a coalgebra 
(.X, 5: X —> &(X)) consisting of a set (of states) X, and a map 5 encapsulating the cor¬ 
responding behaviour based on a functor &. This map represents the set of observers, 
or destructors, allowing one to “break” (infinite) system behaviour into analyzable frag¬ 
ments. 

Coalgebraic analysis on the behaviours of systems can be performed as follows. First, 
identify the appropriate functor associated with the class of systems under analysis. Then, 
reason on the corresponding notion of behavioural equivalence by coinduction HSRllH . a 
proof technique based on bisimulation, already implemented in automated tools CBP13 , 
ICGK+13l[CPg93allGLMSlIl[RL09ll . 

All the systems mentioned above can be coalgebraically modelled in a uniform way, by 
simply varying the behaviour functor &. For instance, for the case of streams (i.e., infinite 
words) over an alphabet A, the functor & (X) = Ax X provides the head of the stream, 
which is an element of A, and its tail, which is again a stream. Labelled transition systems 
are intuitively defined by the functor &(X) = (?AX) a , which for an action labelled in A 
returns the set of states that can be (non-deterministically) reached after executing that 
action. More interestingly, note that each functor induces a notion of behavioural equiv¬ 
alence URutOOH . For streams, for example, this coincides with stream equality, whereas 
for deterministic automata and labelled transition systems, the corresponding notions of 
behavioural equivalence are language equivalence and bisimilarity HMP811 |Mil89l l. re¬ 
spectively. 

As already stated, verification of systems can be performed at different levels of abstrac¬ 
tion, depending on the context of application. The work in this thesis is closely related 
to the results in HSBBR10H . There it is shown how the generality and modularity of 
coalgebras can be exploited (via a coalgebraic subset construction) in order to uniformly 
reason about the behaviour of labelled transition systems in terms of trace, ready or 
failure equivalence HvGOlall . rather than bisimilarity. Moreover, reasoning on the afore¬ 
mentioned equivalences follows “for free” by coinduction, and can be performed in a fully 
automated fashion using the tool in HBP131 . 

Even though the coalgebraic setting abstracts from the syntax in process description lan¬ 
guages, its generality and uniformity enables also the interplay with syntax-based charac¬ 
terisations of systems. For example, we refer to the works in liKli09l[TP9 7i, where bialge- 
braic frameworks for deriving congruence rule formats and proving compositionality of 
various kinds of semantics (such as bisimilarity and decorated trace semantics HvGOlafl ) 
were provided based on the so-called distributive laws of syntax over behaviour. From 
a simpler perspective, note that the dynamics of transition systems for process algebras 
can be coalgebraically characterised (in terms of states and transitions between states) 
according to the SOS rules expressing their behaviours. 
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Chapter 1. Introduction 


1.3 Aim and approach 

Along the research lines mentioned so far, the aim of our work is to exploit the strengths 
of the (co) algebraic framework in modelling reactive systems and reasoning on several 
types of associated semantics, in a uniform fashion. In particular, we are interested in 
handling notions of behavioural equivalence/preorder ranging from bisimilarity for sys¬ 
tems that can be represented as non-deterministic coalgebras flSBRlO l, to decorated trace 
semantics for labelled transition systems and probabilistic systems, and testing semantics 
for labelled transition systems with internal behaviour. Moreover, we aim at deriving a 
suite of corresponding verification algorithms suitable for implementation in automated 
tools. 

The approach we adopt is based on the following steps. 

• First, we focus on the results in [BRS09 I introducing a language of expressions 
for specifying a large class of systems that can be modelled as non-deterministic 
coalgebras, and a sound and complete axiomatisation for bisimilarity of such sys¬ 
tems. The latter include, for example, streams, (non) deterministic automata, Mealy, 
Moore and labelled transition systems. In HBRS09H . systems which are coalgebras of 
non-deterministic functors are described in a rather algebraic fashion, in terms of a 
language of expressions derived according to the functor of interest. Then, expres¬ 
sions are shown to have a coalgebraic structure, hence further enabling reasoning 
on their equivalence by coinduction. 

In our approach, we exploit a combination of algebra and coalgebra, based on inter¬ 
plays such as constructors - destructors, induction - coinduction (both as definition 
and as proof principles), and congruence - bisimilarity HJR97I1 . Building on these 
associations and on the strength of coalgebras in deriving algorithms and tools for 
the automatic verification of systems, we construct a decision procedure for the 
bisimilarity of generalised regular expressions HERS09 1 (and therefore, of their cor¬ 
responding non-deterministic systems). This is achieved by providing an algebraic 
specification for the coalgebra of expressions, and reducing coinduction to an en- 
tailment relation between this specification and a suitable set of equations. 

The theory was implemented in CIRC I GI.RO O IRL091I - an automated theorem 
prover based on coinduction, successfully used for reasoning on properties of infi¬ 
nite data structures such as streams -, and can be tested online at: 
http://goriac.info/tools/functorizer/, 

• Although bisimilarity [ MP8l , |Mil89H is the standard notion of behavioural equiva¬ 
lence in concurrency theory, considerable amount of work has been dedicated to the 
treatment of decorated trace semantics llvGOlal IJS90 1. and may and must testing 
semantics IICH89IIDH841 IHen88ll . for instance. 

Studying semantics other than bisimilarity is not only an interesting research subject 
per se, but is also important from the applicability perspective. 

For example, bisimilarity, which belongs to the class of the so-called “branching 
time” semantics, can be sometimes too fine for system verification. Therefore, 
coarser semantics such as the “linear time” semantics might be more appropriate. In 
this respect, we refer to the work in HvGOlbi l for a survey on the aforementioned se¬ 
mantic equivalences (and preorders), and for a study on their context of application 
and advantages. 
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Semantics coarser than bisimilarity, for example, that are also 
(pre) congruences, can play an important role in system reduction as well. Con¬ 
sider a scenario in which the correctness of concurrent systems is established ac¬ 
cording to a property expressed by a set of logical formulae. It would be desirable 
to use a (pre) congruence preserving such a property for deriving a smaller (re¬ 
duced) labelled transition system whose components are eventually checked for the 
aforementioned property. Hence, the coarser the (pre) congruence, the coarser the 
refinement of the original system. 

We refer, for example, to the work in flVal95l . where it is shown that trace equiv¬ 
alence llvGO 1 all is the weakest congruence preserving the property “P may ever 
execute action a”, whereas the so-called “stable failure equivalence” is the weak¬ 
est deadlock-preserving congruence with respect to any set of Basic Lotos ||BB87il 
operators containing parallel composition. 

We also hint to the work in I SBBRIO I, where trace, failure and readiness seman¬ 
tics livGOlall were recovered in a coalgebraic setting by applying the generalised 
powerset construction IISBBR13II . which is reminiscent of the determinisation of 
non-deterministic automata. 

Also of interest in concurrency, are must and may testing semantics [ DH84llHen88tl . 
Unlike weak bisimilarity, must testing distinguishes between livelock and deadlock, 
for instance. This can be useful in practice as, even though internal behaviour of 
systems do not provide any information to an external observer, it can be desirable 
to set apart infinite internal computations from the impossibility of performing any 
further move. In IICH89II . an alternative characterisation of may and must testing se¬ 
mantics is based on sequences of observable actions processes can execute. Hence, 
it is of interest studying a possible connection with the approach in [ SBBRlO i, for 
a coalgebraic modelling of these semantics. 

Motivated by these results and observations, as a second step we provide a uniform 
coalgebraic modelling of decorated trace, may and must testing semantics via the 
generalised powerset construction. 

• Last, but not least, we exploit the coalgebraic modelling of decorated trace and must 
testing semantics (which is more interesting than may testing semantics, as it is 
sensitive to the non-determinism of processes), and devise algorithms for reasoning 
on the corresponding equivalences and preorders. 

Existing algorithms for the automated checking of these behavioural semantics over 
finite-state systems rely on the following idea. First, non-deterministic systems 
are transformed into the so-called (deterministic) “acceptance graphs”, by apply¬ 
ing a technique which is reminiscent of the determinisation of non-deterministic 
automata [|RS59ll . Then, reasoning on the aforementioned semantics on the orig¬ 
inal non-deterministic systems is reduced to the equivalent problem of reasoning 
on bisimilarity of the associated acceptance graphs. We refer to HCPS93bl 1CS96 , 
CDI.T08 I for examples of automated tools implementing such algorithms. 

In our work, however, the coalgebraic setting enables the construction of verifica¬ 
tion algorithms which are not available for bisimilarity. More precisely, we build 
an algorithm based on (Moore-) bisimulations (up-to) I BP13 . SR11 San98|| . which 
follows as a consequence of the determinisation procedure previously mentioned. 
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Moreover, we provide a variation of Brzozowski’s algorithm ltBrz62il . by exploiting 
the abstract coalgebraic theory in I BBRS12 I. 

Our approach is uniform and modular: once the “recipe” for handling failure se¬ 
mantics is established, the almost straightforward extension to non-deterministic 
systems with internal behaviour enabled shifting to must testing semantics. This 
is also a consequence of the fact that failure semantics coincides with must test¬ 
ing in the absence of divergence I CH891 lNic87l . Furthermore, the algorithms for 
reasoning on failure semantics can be easily adapted also for other decorated trace 
semantics studied in this thesis. 

Both the bisimulation-based and Brzozowski’s minimisation techniques were imple¬ 
mented in an automated tool, and can be tested online at: 
http://perso.ens-lyon.fr/damien.pous/brz/. 
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1.4 Thesis outline 

We summarise the content and the main contributions of the thesis. 


Chapter 2 provides the basic definitions from coalgebra and recalls the generalised pow- 
erset construction, which we will use in our work. 


Chapter 3 presents an algorithm to decide whether two (generalised regular) expressions 
defining systems that can be modelled as non-deterministic coalgebras are bisimilar or 
not. The aforementioned expressions and an analogue of Kleene’s theorem and Kleene 
algebra, were recently proposed by Silva, Bonsangue and Rutten in [ SBR10 1. Examples 
of systems we handle include infinite streams, deterministic automata, Mealy machines 
and labelled transition systems. The procedure is implemented in the automatic theorem 
prover CIRC, by reducing coinduction to an entailment relation between an algebraic 
specification and an appropriate set of equations. 

The main contributions are summarised in the table below. 


A decision procedure for bisimilarity 
Algebraic modelling of expressions Figurel3.2l 

Algebraic encoding of bisimilarity Corollary |3.3.4l 

Soundness Theorem l3.4.2l 

Decision procedure Theoreml3.4.3l 


This chapter is based on the following papers: 

l\BCG + ll \l Marcello M. Bonsangue, Georgiana Caltais, Eugen-Ioan Goriac, Dorel Lucanu, 
Jan J. M. M. Rutten, Alexandra Silva. A decision procedure for bisimilarity of generalised 
regular expressions. Proc. 13’th Brazilian Symposium on Formal Methods, 2011:226-241. 
PiBCG + 13\l Marcello M. Bonsangue, Georgiana Caltais, Eugen-Ioan Goriac, Dorel Lucanu, 
Jan J. M. M. Rutten, Alexandra Silva. Automatic equivalence proofs for non-deterministic 
coalgebras. Science of Computer Programming, 2013:1324-1345. 


Chapter 4 provides the coalgebraic handling of a series of semantics on transition sys¬ 
tems in a uniform modular fashion, by employing the generalised powerset construction 
introduced by Silva, Bonchi, Bonsangue and Rutten in IISBBR13H . As we shall see, this 
construction yields a notion of minimal representatives for (i) decorated trace equiva¬ 
lences for labelled transition systems (LTS’s) HKel76H and generative probabilistic systems 
(GPS’s) HvGOlal lJS90tl and, (ii) must and may testing semantics for non-deterministic 
systems with internal behaviour [CH89, DH841 lHen88ll . As a consequence, reasoning 
on the aforementioned notions of behavioural equivalence/preorder can be performed 
in terms of (Moore-) bisimulations. Moreover, we show how the spectrum of decorated 
trace semantics can be recovered from the coalgebraic modelling. 

The main contributions are listed in the following table. 
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Decorated traces and testing semantics coalgebraically 


Correctness of the coalgebraic modelling of: 
Ready & failure semantics for LTS’s 
(Complete) trace semantics for LTS’s 
Possible-futures semantics for LTS’s 
Ready & failure trace semantics for LTS’s 
Ready & (maximal) failure semantics for GPS’s 
(Maximal) trace semantics for GPS’s 
May testing semantics 
Must testing semantics 


Theorem |4.1.3| 

Theorem l4.1.9l 

Theorem l4. 1.121 

Theorem l4.1.16l 

Theorem |4.2.5| 

Theorem |4.2.7l 

Theorem l4.6.2l 

Theorem l4.6.7l 


Recovering the spectrum 

Lemma|4.5.1| 


Lemmal4.5.2l 


This chapter is based on the papers: 

l\BBC + 12\ l Filippo Bonchi, Marcello Bonsangue, Georgiana Caltais, Jan Rutten, Alexandra 
Silva. Final semantics for decorated traces. Electronic Notes in Theoretical Computer Science, 
2012:73-86. Proc. Mathematical Foundations of Programming Semantics 2012. 


Chapter 5 focuses on checking language equivalence (or inclusion) of finite automata. 
This is a classical problem in computer science, which has recently received a renewed 
interest and found novel and more effective solutions, such as the approaches based on 
antichains HACH + 10l IWDHR061I or bisimulations up-to IIBP131IRBR131ISR111 ISan98ll . 
Several notions of equivalence (or preorder) have been proposed for the analysis of con¬ 
current systems. Some approaches reduce the problem of checking these equivalences to 
the problem of checking bisimilarity. In this chapter, we tackle this challenge differently, 
and propose to “adapt” algorithms for language semantics. More precisely, we introduce 
an analogue of Brzozowski’s algorithm and HKC - an optimisation of Hopcroft and Karp’s 
algorithm |HK7l| based on bisimulations up-to -, for checking must testing equivalence 
and preorder as well as failure equivalence. To achieve this transfer of technology (from 
language to must/failure semantics), we take a coalgebraic look at the problem at hand. 
The table below summarises the main contributions of this chapter. 


Algorithms for decorated trace and must testing semantics 
HKC for failure semantics Sections 15.2. 11 15. 2.31 

Brzozowski for failure semantics Sections [5.2. 41 [572751 

HKC for must testing semantics Sections [5.2.21 [572731 

Brzozowski for must testing semantics Sections [5.2.61 [572771 


This work is based on the paper: 

Filippo Bonchi, Georgiana Caltais, Damien Pous, Alexandra Silva. Brzozowski’s and Up-to 
Algorithms for Must Testing. To appear in volume 8301 of the Lecture Notes in Computer 
Science series. 
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1.5 Related work 

The contributions of the thesis stem from the underlying idea of formally specifying and 
verifying concurrent reactive systems in a uniform fashion, both in theory and practice, 
by exploiting the (co) algebraic framework. 

On the one hand, we build our work based on previous results originating from the corre¬ 
spondence between regular expressions and finite deterministic automata (DFA’s) - two 
of the most basic structures in Computer Science Kleene’s theorem [ Kle56 1 gives a fun¬ 
damental correspondence between these two structures: each regular expression denotes 
a language that can be recognised by a DFA and, conversely, the language accepted by 
a DFA can be specified by a regular expression. A sound and complete axiomatisation 
(later refined by Kozen in ||Koz9lllKoz0lll ) for proving the equivalence of regular expres¬ 
sions was introduced by Salomaa ISal66H . and an extension for the case of LTS’s modulo 
bisimilarity was derived by Milner in HMil84l . 

For coalgebras of a large class of functors, a language of regular expressions, a corre¬ 
sponding generalisation of Kleene’s theorem, and a sound and complete axiomatisation 
for the associated notion of behavioural equivalence were introduced in I SBRIO l. Both 
the language of expressions and their axiomatisation were derived, in a modular fashion, 
from the functor defining the type of the system. 

One of the contributions of the thesis consists in a decision procedure for bisimilarity 
of generalised regular expressions in 1SBR10 1. implemented in the coinductive theorem 
prover CIRC I GLROOl IRL09 1. More explicitly, we derived an encoding of generalised 
regular expressions and their coalgebraic structure into CIRC-compatible constructs, and 
implemented a tool allowing this translation automatically, hence enabling the automated 
reasoning on bisimilarity of non-deterministic coalgebras. 

We further mention some of the existing coalgebraic based tools for proving bisimilarity 
and the main differences with our tool. CoCasl I HMS05 1 and CCSL I RTJ01 1 are tools 
that can generate proof obligations for theorem provers from coalgebraic specifications. 
In IHMS05] several tactics for interactive and automatic bisimulation building are imple¬ 
mented in Isabelle/HOL and are used to derive bisimilarities for translated specifications 
from CoCasl. The main difference between our tool and CoCasl or CCSL is that, given a 
functor, the tool derives a specification language for which equivalence is decidable (that 
is, it is automatic and not interactive). CIRC PGLROO , RL09J, on top of which the current 
tool is built, is based on hidden logic [ RosOQ l and uses a partial decision procedure for 
proving bisimilarities via implicit construction of bisimulations. Our tool can be seen as an 
extension of CIRC to a fully automatic theorem prover for the class of non-deterministic 
coalgebras. We stress the fact that the focus of our work is on a language for which equiv¬ 
alence is decidable. Tools such as CoCasl, CCSL or CIRC have a more expressive language, 
where one can, for instance, specify streams, which in our language could not be specified 
(intuitively, the streams we can specify in our language are eventually periodic). In those 
tools decidability of equivalence can, however, not be guaranteed. 

On the other hand, we exploit the coalgebraic framework in order to provide a uniform 
handling of a suite of semantics, other than bisimilarity. More explicitly, we are interested 
in deriving coalgebraic characterisations and algorithms suitable for implementation for: 
decorated trace semantics in the context of LTS’s and GPS’s as introduced in livGOlal 
|JS90 l, and testing semantics for LTS’s with internal behaviour as given in HCH89I1 . 

In the recent past, some of the decorated trace semantics in van Glabbeek’s spectrum 
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have been cast in the coalgebraic framework. Notably, trace semantics of LTS’s was widely 
studied HHJS071 [LPW001 ISBBRIO l and, more recently, (complete) trace, ready and failure 
semantics were recovered in [ SBBR13 1 via a coalgebraic generalisation of the classical 
powerset construction [ CHL031 !Len991 ISBBRIOl . A coalgebraic characterisation of the 
spectrum was also attempted in HMon08fl 

Since the introduction of process calculi, a lot of research has also been devoted to the 
analysis of testing semantics l|DH84il . Intuitively, with respect to a fixed set of tests, two 
systems are deemed to be equivalent if they pass exactly the same tests. 

In !lCH89ll . a trace-based alternative characterisation of may and must testing was given. 
Based on this approach, we provide a coalgebraic modelling of the aforementioned se¬ 
mantics via the generalised powerset construction. Another coalgebraic outlook on must 
testing is presented in jBG06ll which introduces a fully abstract coalgebraic semantics for 
CSP. The main difference with our work consists in the fact that HBG06H builds a coalge¬ 
bra from the syntactic terms of CSP, while here we build a coalgebra starting from LTS’s. 
As a further coalgebraic approach to testing, it is worth mentioning test-suites llKli04l . 
which tackle the semantics in van Glabbeek’s spectrum HvGOlall . but not must testing. 
The problem of automatically reasoning on decorated trace and testing semantics of LTS’s 
is an interesting research topic per se. One possible approach, which is reminiscent of 
the determinisation of non-deterministic automata, consists in deriving deterministic-like 
systems for which checking bisimilarity coincides with reasoning on the aforementioned 
semantics in the original LTS’s. Several bisimulation-based algorithms are implemented 
in tools such as the ones in I CPS93bl ICS96I [CDLT08 1. We also refer to the more recent 
work in HBP13H . where the determinised automata are related based on bisimulations 
up-to flSRlll ISan98H . The advantage of this procedure is that, in most cases, building 
the bisimulations up-to requires visiting only portions of the automata. The partial ex¬ 
ploration is also the key feature of the antichain algorithm [ WDHR06 1 for reasoning on 
language equivalence of non-deterministic finite automata. 

The best-known algorithm for minimising LTS’s with respect to bisimilarity is the so- 
called partition refinement HKS83 , PT87 I, which is analogous to Hopcroft’s minimisation 
algorithm |Hop7l| ] for deterministic automata with respect to language equivalence. Last, 
but not least, we refer to Brzozowski’s minimisation algorithm HBrz62ll . which has been 
provided with a coalgebraic understanding in I BBRS12 1. 

Along this line of research, in Chapter [5] we introduce an analogue of Brzozowski’s algo¬ 
rithm and an algorithm based on bisimulations up-to for failure and must testing seman¬ 
tics. 













































Chapter 2 


Preliminaries 


In this chapter we recall the basic definitions for sets and coalgebras that are needed in 
the rest of the thesis. We also introduce the coalgebraic modelling of the (generalised) 
powerset construction. We assume the reader is familiar with basic notions from category 
theory. We refer the interested reader to IRutOOl and IIAwolOH for more information on 
coalgebras and category theory, respectively. 


2.1 Sets 

Let Set denote the category of sets (represented by capital letters X, Y,. ..) and functions 
(represented by lower case letters /, g,...). We write Y x for the family of functions from 
X to Y and 0^(X) for the collection of finite subsets of a set X. The product of two sets 
X, Y is written as X x Y and has the projections functions n 1 and n 2 '- X «—— X x Y -—>■ Y. 
We define X $Y = X id T i±) {_L, T} where i+i is the disjoint union of sets, with injections 
X —-» X\i)Y Y. Note that the setX^T is different from the classical coproduct ofX and 
Y (which we shall denote by X + Y), because of the two extra elements X and T. These 
extra elements are used to represent, respectively, underspecification and inconsistency 
in the specification of some systems. 

For each of the operations defined above on sets, there is an analogous one on functions. 
For the sake of brevity, we first introduce the notation i e 1, n as a shorthand for i e 
{1,..., n}. Let /: X —» Y, f 1 \ X —> Y and f 2 : Z —>W. We define the following operations: 

x f 2 : X x Z Y xW f 1 ®f 2 :X®Z->Y®W 

(Ji x f 2 )(x,z) = (f 1 (x\f 2 (z)) (/i^/ 2 )(c) = c, ce{l,T} 

C/j ^/ 2 )(KiO0) = KitfiO)), i e 1,2 

f A :X A ^ Y a W) ^ 9L(Y) 

f\g ) = f°g 9LUXX i) = {y e y I/(*) = y.xeXj 

Note that in the definition above we are using the same symbols introduced for the oper¬ 
ations on sets. It will always be clear from the context which operation is being used. 
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2.2 Coalgebras 

The examples handled throughout this thesis live in the standard setting of sets and func¬ 
tions. We therefore define our formal frameworks for modelling and reasoning on be¬ 
havioural equivalence of systems based on coalgebras of functors on Set. 

2.2.1 Definition (Coalgebra). A coalgebra is a pair (S,/: S —* <^(S)), where S is a set 

of states and & : Set —> Set is a functor. 4» 

The functor together with the function /, determines the transition structure (or dy¬ 
namics) of the coalgebra URutOOH . also referred to as &-coalgebra. 

A coalgebra (S,/) is finite if S is a finite set. 

2.2.2 Definition (Coalgebra homomorphism). A homomorphism h: (S,/) —»(T, g) from 
an &-coalgebra (S,/) to an d^-coalgebra (T, g), is a function h: S —* T making the follow¬ 
ing diagram commute: 


/ g g°h = &(h)of 

— >&{T) 

V J &{h) y 1 


2.2.3 Definition (Coalgebra isomorphism). A coalgebra homomorphism 
i: S —> T is a coalgebra isomorphism if there exists a coalgebra homomorphism j: T —> S 
such that io j = id T and j o i = id s . 


2.2.4 Definition (Final coalgebra) . An ^"-coalgebra (fi, <u) is final if for any ^"-coalgebra 
(S,/) there exists a unique &-coalgebra homomorphism 

[-]:(S,/)^(n,o>): 


■ > n 


&{s) -4 j?(n) 

m-i) 


< 4 >° l-J = ^(E-])°/ 


* 


Note that not all functors admit final coalgebras. However, it was shown in [ RutOO l that 
such coalgebras exist for the class of bounded functors llGS02tt . A functor & is bounded 
if there are sets B and A and a surjective natural transformation from B x (— Y to & 
(Theorem 4.7 in IIGS021 ). Moreover, final coalgebras, if they exist, are unique up to 
isomorphism. 

Intuitively, a final •T'-coalgebra (fi, oj) represents the universe of all possible behaviours 
of ^"-coalgebras (S,/). The unique homomorphism [[—]] maps each element of S to its 
behaviour. Using this mapping, behavioural equivalence can be defined as follows. 
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2.2.5 Definition (Behavioural equivalence). Let & be a functor that admits final coal¬ 
gebras. For any two ^-coalgebras (S,/) and (T, g), s e S and t e T are behaviourally 
equivalent, written s ~jr t, if and only if they have the same behaviour, that is: 

t iff Is] = [[t], (2.1) 


Coalgebras provide a useful technique for proving behavioural equivalence, namely, bisim¬ 
ulation IAM8911 . 


2.2.6 Definition (Bisimulation). Let (S,/) and (T, g) be two ^"-coalgebras. A relation 
R c s x T is a bisimulation if there exists a map a: R —» ^(R) such that the projections 
n 1 : R —> S and ti 2 : R —» T are coalgebra homomorphisms, i.e., they make the following 
diagram commute: 


S < 


R 


"2 


A T 


, - Jf(R) — 7 -> i^(T) 


* 


The following alternative definition of bisimulation, sometimes more appropriate for the 
proofs, was given in HHJ98H : a relation R c s x T is a bisimulation if and only if 

(s, t) e R => (/(s),g(t)) e Jf(R) 


where ^(R) is defined as 

Jf(R) = {(^(ttjXx), ^(7t 2 )(x)) | x e (R)} (2.2) 

If two states are bisimilar, and a final coalgebra exists, then they are behaviourally equiv¬ 
alent. 

In I RutO O 1, it was shown that under certain conditions on & (which are met by all the 
functors considered in this thesis), bisimulations are a sound and complete proof technique 
for behavioural equivalence. Namely, by coinduction it holds that: 

s ~jr t iff there exists a bisimulation R such that sR t. (2.3) 

For simplicity, we abuse the notation and write s ~$ t whenever there exists a bisimula¬ 
tion relation containing (s, t), and we call the bisimilarity relation. 

Note that different functors & induce different notions of behavioural equivalence. For 
the case of streams, deterministic automata, and finite labelled transition systems, for 
example, behavioural equivalence corresponds to stream equality, language equivalence 
and the standard notion of bisimilarity by Milner and Park l MP81 i : Mil89L respectively. 
For more insight on the coalgebraic framework introduced in this section, we further 
provide the coalgebraic modelling of deterministic and Moore automata (extensively used 
in Chapter[4]and Chapter©. 

2.2.7 Example. A deterministic automaton (DA) is a pair ( X, ( o , t)), where X is a (possibly 
infinite) set of states and (o, t): X —> 2 x X A is a function with two components: o, the 
output function, determines if a state x is final (o(x) = 1) or not (o(x) = 0); and t, the 
transition function, returns for each letter a in the input alphabet A the next state. Note 
that here 2 stands for the set with two elements {0,1}. 
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DA’s are coalgebras for the functor @(X) = 2 x X A . The final coalgebra of this functor is 
(2 A *, (e, (—) a )) where 2 A * is the set of languages over A and (e, (—) a ), given a language L, 
determines whether or not the empty word e is in the language (e(L) = 1 or e(L) = 0, 
respectively) and, for each input letter a, returns the derivative of L: L a = {w e A* | aw e 
L}. 

From any DA, there is a unique map [[—D into 2 A which assigns to each state its behaviour 
(that is, the language that the state recognises) [ Rut98 1. 


X - 

2 x X A 


idx[[—]p 


- A 2 a * 

]>,(-)„> 

-)2x (2 a *) a 


[[v](e) = o(x) 

WW= Et(xXa)]](w) 


Behavioural equivalence for the functor @ coincides with the classical language equiva¬ 
lence of automata: given a deterministic automaton (S, (o, t)), two states rjeS are said 
to be language equivalent if and only if they accept the same language. 4k 

We further provide the coalgebraic modelling of Moore automata - a generalisation of 
DA’s - which, as we shall later see, will enable shifting from language equivalence to the 
context of decorated trace semantics. 

2.2.8 Example. Moore automata with inputs in A and outputs in B are coalgebras for the 
functor MOO — B xX A , that is pairs (X, (o, t)) where X is a set, t: X —» X A is the transition 
function (like for DA) and o: X —» B is the output function which maps every state to its 
output. Thus DA can be seen as a special case of Moore automata where B =2. 

The final coalgebra for M is (B A *, (e, (—) a )) where S A is the set of all functions ip: A* —» B, 
e: B A —*B maps each i p into ip(e) and (—) a : B A —> (B A ) A is defined for all i/> eB A , a eA 
and w eA* as (</>) a (w) = y{aw). 


X - 

BxX a 


idxl[-r 


- - -> B a 

AS X (B A y 


Ex](e) = o(x) 

W(aw)= Et(x)(a)](w) 


Hence, reasoning on behavioural equivalence of Moore automata reduces to checking 
equality of functions. 4 


2.3 The generalised powerset construction 

Sometimes, it is interesting to consider other equivalences than ~ ^ for reasoning about 
,^-coalgebras. This is the case for non-deterministic automata (NDA’s), for which lan¬ 
guage equivalence is often the intended semantics, instead of bisimilarity. NDA’s are coal¬ 
gebras for the functor J/'iX) = 2 x (^(X)^, where SP W stands for the finite powerset, and 
bisimilarity, which we denote by ~ /V , is strictly included in language equivalence. This 
can be achieved by applying the classical powerset construction HRS5911 for determinising 
non-deterministic automata, which can be briefly summarised as follows. 

Consider an NDA, which is a coalgebra 

(X,(o,t):X- 2x(tX) A ) 
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where (similarly to the case of DA’s in Example |2.2. 7D : o is the output function and 
determines if a state x is final (o(x) = 1) or not (o(x) = 0), t is the transition function 
returning for each input letter a the set of next states, and 2 stands for the set with two 
elements {0,1}. 

The powerset construction derives a DA 

<° # , t # >: - 2 x (S? 0J Xf), 


by associating to each state rel of the NDA, a state {x} e SF 0J X. The new output and 
transition functions are: 


oKy) = U o(y) 


yeY 

t # (T)(a) = U t(y)Ca) 


(2.4) 


yeY 


where L ' s used to represent both the “Boolean or” and the set union. Intuitively, |_ 
stands for the join operation corresponding to the semilattice with carrier {0,1}, and the 
one with carrier &J5, with S e Set, respectively. The final coalgebra of the DA is the set 
of languages 2 /V over A, and the semantic map 


associates to each {x} the language [[{x}D accepted by x, and is defined as introduced in 
Example |2.2.7| in the previous section. Consequently, reasoning on language equivalence 
of two states x 1 and x 2 of an NDA reduces to identifying a bisimulation R relating {x x } 
and {x 2 } in the corresponding DA: 

0*1 D = EfeD iff {* 1 } R {* 2 }- (2.5) 

Based on these observations, we refer to the generalised powerset construction fCHL03 , 
|Len99i SBBR10 1 for coalgebras f: X —> &T(X~) for a functor & and a monad T. Intu¬ 
itively, this construction applies to the context of NDA’s by simply instantiating T with 
and & with 2 x (more details are provided later on in this section, in Example |2..3.4[ ). 
Monads are used to encompass computational effects such as non-determinism (T(X) = 
SF a j(X)) or partiality (T(Z) = 1 +X, where 1 = {*} stands for termination). They come 
equipped with two operations: unit (r/) and multiplication (//). Intuitively, q enables the 
embedding of any value into the monad structure, whereas p allows to collapse several 
levels of computational effects. For instance, the unit and multiplication of the powerset 
monad T = (£5£,,t},p) are defined as follows: 

Vx-X^ ,%X p x : 9„W) - &LX 

p x (x) = {x} ft(U)= U s ' ( ' 2 ' 6 ' ) 

sen 

We further provide an overview of the notions of a monad and algebras of a monad, and 
a series of intuitions for their integration into the context of the generalised powerset 
construction. 

First recall that, given two functors OF and <0 on Set, a natural transformation A: TF => Tt 
is a family of functions X x \ 3F{X) —> ( ${X) such that, for all functions f: X —> 7 , the 
following holds: 


A y o^(/) = ^(/)oA*. 
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2.3.1 Definition (Monad). Let T be a functor on Set. A monad, is a triple (T, 17 , p) where 
17 : /d => T and u: T 2 => T are two natural transformations, called unit and multiplication, 
respectively, such that the following diagrams commute: 



4» 


2.3.2 Definition (Algebra of a monad). An algebra of a monad (T, 17 , p), or a T-algebra, 
is a pair (X,h: T(X)—>X) satisfying the laws 

h°r\ = id h° p = h°Th. Jf, 

Intuitively, these laws show how to eliminate the computational effects by propagating 
the operation h throughout the monadic structure. 

For the case of the powerset monad defined in (12.61) . for example, T -algebras are semilat¬ 
tices (with bottom). Consider a join semilattice (S,|_|) with 0 the least element. Showing 
that S carries an algebra structure consists in proving that there exists h: £? 0J (S) —> S 
satisfying the laws in Definition ^.3.21 It is easy to check that by taking 

h(U) = |_|u, 

ueU 


with U c s, we get the appropriate map. 

The proof is as follows. Consider ueS and 'F c 3? W {0? OJ S). Then: 

(h o r])(u) = h({u}J 
= u 

(h o juX'F) = fi(/r('F)) 

= K\J U t ) 

= U u i 

U t e>F 
Uj s U t 

(h o 5 a CJ fi)('F) = fi(5 a tJ fi('F)) 

= hmUi) | U t € <]>}) 

= Ki U 

ujeUi 

= U U J 

UiS* 

uj e U t 


The first set of equalities is associated to the law h° r) = id in Definition 12.3.21 and, 
intuitively, states that eliminating the non-determinism from a singleton set {u} consists 
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in simply considering the value u. The last two sets of equalities correspond to the law 
h° p = ho Th. Intuitively, they show that eliminating two levels of non-determinism 
captured within a set 'I' c SPdJPJS) can be performed in two different ways: (a) first 
flatten 'I' and then return the join of the elements in the resulted set, or (b) first compute 
the joins fr(l() of the elements of sets U l e and then return the join of all such /if L7, )’s. 

2.3.3 Definition (Algebra homomorphism). Let (T, r\,p) be a monad. A function 
/ : X —» Y is a homomorphism between two T -algebras (X,h: T(X) — » X) and (7, g: T(7) —» 
7) if it makes the following diagram commute: 


TO 0- 

-^4t(7) 

h I 

| S 

X 

-> 7 


These are the key ingredients exploited in 1SBBR13 I in order to derive the generalised 
powerset construction for coalgebras f:X —> PTT(X) for a functor & and a monad 
T, with the proviso that &T(X) is a T-algebra, and PT has a final coalgebra (fi, to), as 
summarised in the following commuting diagram: 


X 


/ 


&T(X) 


4 T(X) 


ft 








(2.7) 


We refer the interested reader to IS BBRI3 I where all the technical details are explored 
and many instances of the construction are shown. 

At an intuitive level, the coalgebra f: X —* PFT{X) is extended to /®: T(X) —* &T(X) 
which, for two elements x 1; x 2 6 X, enables checking their “.^-equivalence with respect 
to the monad T” (rjfxj) p(x 2 )) rather than checking their -equivalence. Formally, 
assuming that T(X) is a T -algebra, is the unique algebra map between (T(X), p) and 
(<^T(X),fr) (where h is a given algebra structure on ^T(X)) such that 

/N = h o Tf. 

Remark 1 Based on fl 2. ID and <\2.3\) . verifying behavioural equivalence of two states 
x lt x 2 in a coalgebra (T(X),/*) consists in identifying a bisimulation R relating rjfxj) and 

vl x 2 ) : 

thUi)] = Ehfe)] iff bOi) R rj(x 2 ). (2.8) 

2.3.4 Example. Consider again the case of NDA’s which are coalgebras 

(X,{o,t):X-> 2x(^X) A ), * 

as introduced in the beginning of this section. Observe that g?(X) and 2 = SP(T) are (join) 
semilattices, which are algebras of the powerset monad (here 1 stands for the singleton 
set {*}). Moreover, product and exponentiation preserve the algebra structure, hence 
guaranteeing that 2 x {^ CJ {X)'f i is an algebra for g? w as well. 
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At this point it is easy to see that the generalised powerset construction applies to the 
context of NDA’s by simply instantiating T with S? 0J and & with 2 x (—) A . It follows that 
the operation (o, t) of the NDA can be uniquely extended to (o 11 , v), as in ( 12. 4D . in a deter¬ 
ministic setting. The language recognised by a non-deterministic state x can be defined 
by precomposing the unique morphism [[—]]: S? W X —» 2 A with the unit rj of This 
enables reasoning on language equivalence of states of NDA’s in terms of bisimulations, 
as in (1231) . Recall that for the case of deterministic LTS’s, language equivalence and 
bisimilarity coincide |Eng85j . 

As a last aspect, note that the set of languages 2 /V can be provided a join semilattice 
structure by considering the union of languages as the binary operation and the empty 
language as the least element. It can be easily shown (by induction on words w e A *) that 
the semantic map Qj—]] is a join semilattice homomorphism (or, equivalently, a ^-algebra 
homomorphism). 

More generally, the semantic map Qj—]] in (12.7D is a T-algebra homomorphism whenever 
there exists a distributive law T& => &T, which guarantees that the carrier hi of the final 
coalgebra is a T-algebra as well (see Proposition 4 in IIJSS121I ). 






Chapter 3 


Deciding bisimilarity 


The results in this chapter are based on the work in [ SBR1 0I. where a language of reg¬ 
ular expressions for specifying a large class of systems that can be modelled as non- 
deterministic coalgebras, and a sound and complete axiomatisation for the corresponding 
notions of behavioural equivalence were introduced. 

Our contribution consists in a novel method for checking bisimilarity of generalised reg¬ 
ular expressions using the coinductive theorem prover CIRC [ GLROOl [RL09 1. The main 
novelty of the method lies in the generality of the systems it can handle; examples in¬ 
clude streams of real numbers, Mealy machines and labelled transition systems. More 
precisely, our approach deals with systems that can be represented as locally finite coal¬ 
gebras or, equivalently, coalgebras for which the smallest subcoalgebra generated by a 
state is finite liRutOOIl . 

CIRC is a metalanguage application implemented in Maude [CDE + 07j, and its target is to 
prove properties over infinite data structures. It has been successfully used for checking 
the equivalence of programs, and trace equivalence and strong bisimilarity of processes. 
The tool may be tested online and downloaded from: 
https://fmse.info.uaic.ro/tools/Circ/, 

Determining whether two expressions are equivalent is important in order to be able to 
compare behavioural specifications. In the presence of a sound and complete axiomati¬ 
sation one can determine equivalence using algebraic reasoning. A coalgebraic perspec¬ 
tive on regular expressions has however provided a more operational/algorithmic way of 
checking equivalence: one constructs a bisimulation relation containing both expressions. 
The advantage of the bisimulation approach is that it enables automation since the steps 
of the construction are fairly mechanic and require almost no ingenuity. We illustrate 
this with an example, to give the reader the feeling of the more algorithmic nature of 
bisimulation. We want to stress however that we are not underestimating the value of 
an algebraic treatment of regular expressions: on the contrary, as we will show later, the 
axiomatisation plays an important role in guaranteeing termination of the bisimulation 
construction and is therefore crucial for the main result of this chapter. 

We show below a proof of the sliding rule: a(ba)* = ( ab)*a . The algebraic proof, using 
the rules and equations of Kleene algebra, needs to show the two containments 

a(ba)* < (ab)*a and (ab)*a < a(ba)* 
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and it requires some ingenuity in the choice of the equation applied in each step. We 
show the proof for the first inequality, the other follow a similar proof pattern. 

alba)* < lab)*a 

a + lab)* alba) < lab)*a right-star rule [ Koz9lll : ? + ^ 

(1 + lab)*ab)a < lab)*a associativity and distributivity 
lab)*a < lab)*a right expansion rule: 1 -I- r*r = r* 

For the coalgebraic proof, we build incrementally, and rather mechanically, a bisimulation 
relation containing the pair (a(ba)*, lab)*a). We start with the pair we want to prove 
equivalent and then we close the relation with respect to syntactic language derivatives, 
also known as Brzozowski derivatives. In the current example, the bisimulation relation 
would contain three pairs: 

R = {lalbaf, lab)* a), Hba)*, blab)* a + 1), (0,0)} 

where 1 and 0 are, respectively, the regular expressions denoting the language containing 
only the empty word and the empty language. In constructing this relation, no deci¬ 
sions were made, and hence the suitability of bisimulation construction as an automatic 
technique to prove equivalence of regular expressions. 

The main contributions of this chapter can be summarised as follows. We present a 
decision procedure to determine equivalence of generalised regular expressions, which 
specify behaviours of many types of transition systems, including Mealy machines, la¬ 
belled transition systems and infinite streams. We illustrate the decision procedure we 
devised by applying it to several examples. As a vehicle of implementation, we choose 
Cl RC, a coinductive theorem prover which has already been explored for the construction 
of bisimulations. To ease the implementation in CIRC, we present the algebraic specifi¬ 
cations’ counterpart of the coalgebraic framework of the generalised regular expressions 
mentioned above. This enables us to automatically derive algebraic specifications that 
model the language of expressions, and to define an appropriate equational entailment 
relation which mimics our decision procedure for checking behavioural equivalence of 
expressions. The implementation of both the algebraic specification and the entailment 
relation in CIRC allows for automatic reasoning on the equivalence of expressions. 
Organisation of the chapter. Section 13.11 recalls the basic definitions of the language as¬ 
sociated with a non-deterministic functor. Section 13.21 describes the decision procedure 
to check equivalence of regular expressions. Section [3731 formulates the aforementioned 
language as an algebraic specification, which paves the way to implement in CIRC the 
procedure to decide equivalence of expressions. The implementation of the decision pro¬ 
cedure and its soundness are described in Section [3~4l In Section l331 we show, by means 
of several examples, how one can check bisimilarity, using CIRC. In Section [3761 we briefly 
wrap up the contributions of this chapter. 



3.1 generalised regular expressions 

In this section we briefly recall the basic definitions in I SBR10 1. 
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Non-deterministic functors are functors V: Set —» Set built inductively from the identity, 
and constants, using x, (—y 1 and 3?^: 

NDF^ c g\:=\d\&\ ( g$ ( S\ ( gx<S\<g A \3?f ( i (3.1) 

where B is a finite join-semilattice and A is a finite set. Typical examples of such functors 
include Sf = B x Id, Jt = (B x ld) A , © = 2 x ld A , <2 = (1 IdjT 4 , / = 2x ^.(Idy 1 and 
5£ = 1 ^(Idyh These functors represent, respectively, the type of streams, Mealy, 
deterministic, partial deterministic automata, non-deterministic automata and labelled 
transition systems with explicit termination. Sf -bisimulation is stream equality, whereas 
©-bisimulation coincides with language equivalence. 

Next, we give the definition of the ingredient relation, which relates a non-deterministic 
functor with its ingredients, i.e., the functors used in its inductive construction. We shall 
use this relation later for typing our expressions. 

3.1.1 Definition. Let NDF x NDF be the least reflexive and transitive relation on 
non-deterministic functors such that 

( S l < ( S l x V 2 ( $ 2 <a % x <§2 % <1 % % 

<g 2 < % ( S 2 ( S< ( S A ( S<S? 0J ( S. £ 

Throughout this chapter we use & < ^ as a shorthand for (^, <g) e<3. If then & 

is said to be an ingredient of <3. For example, 2, Id, Id"' and © itself are all the ingredients 
of the deterministic automata functor ©. 

A language of expressions Exp,,, is associated with each non-deterministic functor ( S\ 

3.1.2 Definition (Expressions). Let Abe a finite set, B a finite join-semilattice and A a 
set of fixed-point variables. The set Exp of all (generalised regular) expressions is given by 
the following grammar, where a e A, b e B and rel: 

e ::= x|e®£|y (3.2) 

where y is a guarded expression given by: 

Y ■■= 0 I 7® 7 I I b | Z<£> | r(e) \ Z[e] | r[e] | a(e) | {e} (3.3) 

In the expression px.y, p is a binder for all the free occurrences of x in y. Variables that 
are not bound are free. A closed expression is an expression without free occurrences of 
fixed-point variables x. We denote the set of closed expressions by Exp c . 

The language of expressions for non-deterministic coalgebras is a generalisation of the 
classical notion of regular expressions: 0, e 1 © e 2 and px.y play similar roles to the reg¬ 
ular expressions denoting empty language, the union of languages and the Kleene star. 
Moreover, note that, not unexpectedly, in HSBR10H . © was axiomatised as an associative, 
commutative and idempotent operator, with 0 as a neutral element. The expressions 1(e), 
r(e), Z[e], r[e], a(e) and {&} specify the left and right-hand side of products and sums, 
function application and singleton sets, respectively. 

Next we present a type assignment system for associating expressions to non-deterministic 
functors. This will allow us to associate with each functor the expressions e e Exp c that 
are valid specifications of ^-coalgebras. 
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3.1.3 Definition (Type system). We define a typing relation b c Exp xNDF xNDF that 
will associate an expression e with two non-deterministic functors S3 and 3, which are 
related by the ingredient relation {S3 is an ingredient of 3). We shall write 
(read “e is of type & < 3”) for (e, ^ ^)eh. The rules that define b are the following: 


b 0: & < 3 
b e: 3 < 3 
b [jlx.e: 3 < 3 

b r[e]: # <3 2 < 3 

b r(e ): 


- (beB) 

b b: B <1 3 

b 6j : ^ <1 ^ V ey. 3P <3 

b e : © e 2 : S' < ^ 

b e: Jf <1 ^ 

-(a 

b a(s): < 3 

b£:fj<l^ 
b 1 [e]: $ J *2 < ^ 


-(rex) 

b x\ <3 <<g 

b e : 3 < 3 
be: Id <1 <3 
b e: Jfj <1 3 
b 1(e ): x < 3 

b£:^j<l^ 

b {e}:&> OJ & 1 <<3 


4» 


We can now formally define the set of ^-expressions: well-typed expressions associated 
with a non-deterministic functor 3. 

3.1.4 Definition (^-expressions). Let 3 be a non-deterministic functor and & an in¬ 
gredient of <3. We define Expjr^ by: 

Exp= {f g Exp c | b e : & < 3}. 

We define the set Exp^ of well-typed <3-expressions by Expc ?< ^. A 

In 1 SBR10 1. it was proved that the set of ^-expressions for a given non-deterministic 
functor 3 has a coalgebraic structure: 


5<g\ Exp^ —* ^(Exp^) 

More precisely, in [ SBR10 1, which we refer to for the complete definition of 5%, the 
authors defined a function Expj?^ —> ^"(Exp^) and then set 5% = 

The coalgebraic structure on the set of expressions enabled the proof of a Kleene-like 
theorem: 

3.1.5 Theorem (Theorems 3.12 and 3.14 in I SBR10 I). Consider 3 a non-deterministic 
functor. 

1. For any e e Exp^, there exists a finite 3-coalgebra ( S , g) and seS such that e ~ s. 

2. For every finite 3-coalgebra (S, g) and s e S there exists an expression e s e Exp^ such 
that e s ~ s. 

In order to provide the reader with intuition regarding the notions presented above, we 
illustrate them with an example. 

3.1.6 Example. Let us instantiate the definition of ^-expressions to the functor of streams 
S3 = B x Id (the ingredients of this functor are B, Id and S3 itself). Let X be a set of (re¬ 
cursion or) fixed-point variables. The set Exp y of stream expressions is given by the set of 
closed, guarded expressions generated by the following BNF grammar. For reX: 

Exp^ 3£ ::= 0 | e © e | px.e \ x \ l(z) \ r(e) 
t ::= 0 | b | t © t 


(3.4) 
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Intuitively, the expression 1(b) is used to specify that the head of the stream is b, while 
r(s) specifies a stream whose tail behaves as specified by e. For the two element join- 
semilattice B = {0,1} (with J_ B = 0) examples of well-typed expressions include 0, 
Z(l) 0 r(Z{0)} and p,x.r(x) 0 Z(l). The expressions Z[l], Z(l) 0 1 and px.l are exam¬ 
ples of non well-typed expressions for Sf, because the functor Sf does not involve 0, the 
subexpressions in the sum have different type, and recursion is not at the outermost level 
(1 has type B <1 5"), respectively. 

By applying the definition in [ SBRlOH , the coalgebra structure on expressions 5 y is given 
by: 


5 y : Exp^ —» 

B x Exp^ 


M0) 

= <1 B .0> 


5y(r 1 0r 2 ) 

= (bi V b 2 ,s' 1 © s' 2 ) 

where (b h e') = 5 y (Ei), 

5 y (px.s ) 

= 5 y (E[px.s/x ]) 


5 y (l( T» 

= (5 b<15 ,(t),0) 


5y(r(e)) 

= (-Lbj £ ) 



= -Lb 



= b 


5 B< y ( T0t') 

— ^B<y( n : )V5 B< y 

(V) 


i e 1,2 


The proof of Kleene’s theorem provides algorithms to go from expressions to streams and 
vice-versa. We illustrate it by means of examples. 

Consider the following stream: 



10 1 


We draw the stream with an automata-like flavor. The transitions indicate the tail of 
the stream represented by a state and the output value the head. In a more traditional 
notation, the above automata represents the infinite stream (1,0,1,0,1,0,1,...). 

To compute expressions e 1 , e 2 and e 3 equivalent to s 1 , s 2 and s 3 we associate with each 
state S; a variable x, and get the equations: 

£i =jU*i-Z(l) ©r<x 2 ) e 2 = px 2 .i(0)@r(x 3 ) e 3 = px 3 .l(l) ® r(x 2 ) 

As our goal is to remove all the occurrences of free variables in our expressions, we 
proceed as follows. First we substitute x 2 by e 2 in e lt and x 3 by e 3 in e 2 , and obtain the 
following expressions: 


e 1 = px 1 .l(l) © r(e 2 ) e 2 = px 2 .l( 0) 0 r(e 3 ) 

Note that at this point e 1 and e 2 already denote closed expressions. Therefore, as a last 
step, we replace x 2 in s 3 by e 2 and get the following closed expressions: 

e 1 = px 1 .l(l) 0 r(s 2 ) e 2 = px 2 .l( 0} © t(e 3 ) e 3 = px 3 .l( 1} © r(px 2 .l( 0) 0 r(x 3 }) 

satisfying, by construction, e x ~ s 1; e 2 ~ s 2 an d e 3 ~ s 3 - 

For the converse construction, consider the expression e = ( px.r(x )) 0 Z(l). We construct 
an automaton by repeatedly applying the coalgebra structure on expressions 5 y , modulo 
associativity, commutativity and idempotency (ACI) of © in order to guarantee finiteness. 
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First, note that 5 y (px.r(x)) = 5 y (r(px.r(x))) = (_!_ B ,px.r(x)). Applying the definition 
of 5 y above, we have: 


5 y (e) = (1 ,(px.r(x)) ©0) and 5 y ((px.r(x)) © 0) = (0, (px.r(x)) © 0} 


which leads to the following stream (automaton): 



At this point, we want to remark that the direct application of 5 y , without ACI, might 
generate infinite automata. Take, for instance, the expression e = px.r(x © x) . Note that 
5 y (px.r(x © x)) = (0,e ® e), 5 y (e © e) = (0, (e © e) © (e © e)), and so on. This would 
generate the infinite automaton 


j (g © c] -> (e © e) © (e © e) 


T 

o 


IT 

o 


instead of the intended, simple and very finite, automaton 

<fO 

0 

In order to guarantee finiteness, one needs to identify the expressions modulo ACI, as we 
will discuss further in this chapter. Moreover, the axiom e © 0 = e could also be used in 
order to obtain smaller automata, but it is not crucial for termination. 

Streams will be often used as a basic example to illustrate the definitions. It should be 
remarked that the framework is general enough to include more complex examples, such 
as deterministic automata, automata on guarded strings, Mealy machines and labelled 
transition systems. The latter two will be used as examples in Section [3751 


3.2 Deciding equivalence of expressions 

In this section, we briefly describe the decision procedure to determine whether two 
generalised regular expressions are equivalent or not. 

The key observation is that point 1. of Theorem l3.1.5l above guarantees that each expres¬ 
sion in the language for a given system can always be associated with a finite coalgebra. 
Given two expressions e 1 and e 2 in the language Exp, /y of a given functor we can decide 
whether they are equivalent by constructing a finite bisimulation between them. This is 
because the finite coalgebra generated from an expression contains precisely all states 
that one needs to construct the equivalence relation. Even though this might seem like 
a trivial observation, it has very concrete consequences: for (all well-typed) generalised 
regular expressions we can always either determine that they are bisimilar, and exhibit a 
proof in the form of a bisimulation, or conclude that they are not bisimilar and pinpoint 
the difference by showing why the bisimulation construction failed. Hence, we have a 
decision procedure for equivalence of generalised regular expressions. 
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We will give the reader a brief example on how the equivalence check works. Further 
examples, for different types of systems, including examples of non-equivalence, will 
appear in Section 1331 
We will show that the stream expressions 

= px.r(x) © 1(0) 


and 

e 2 = r(px.r(x) © Z(0}) © 1(0) 

are equivalent. In order to do that, we have to build a bisimulation relation R on expres¬ 
sions for the stream functor Sf, defined above, such that (c 1 ,e 2 ) G R- We do this in the 
following way: we start by taking R = {(e 1; e 2 )} and we check whether this is already a 
bisimulation, by applying 5 9 < to each of the expressions and checking whether the expres¬ 
sions have the same output value and, moreover, that no new pairs of expressions (mod¬ 
ulo associativity, commutativity and idempotency, for more details see page 1381) appear 
when taking transitions. Note that, for simplicity, we also use the sound axiom e © 0 = e. 
If new pairs of expressions appear we add them to R and repeat the process. Intuitively, 
for this particular example, the transition structure can be depicted as in Figure [3~T1 


£!©» = £! 


not yet in R; add it 


R = {(<?!, e 2 )} 


g=h©I ^={(e 1 ,e 2 )»(ei»ei)} 


sf 


Figure 3.1: Bisimulation construction 


In Figure [37X1 we omit the output values of the expressions, which are all 0, and use the 

ft 

notation e 1 e 2 to denote (rq, e 2 ) efi. Note that R = {(£ 1; e 2 ),(e 2 , e 2 )} is closed under 
transitions and is therefore a bisimulation. Hence, gq and e 2 are bisimilar and specify the 
same infinite stream (concretely, the stream with only zeros). 


3.3 An algebraic view on the coalgebra of expressions 

Recall that our goal is to reason about equality of generalised regular expressions in a fully 
automated manner. Obtaining this equality can be achieved in two distinct ways: either 
algebraically, reasoning with the axioms, or coalgebraically, by constructing a bisimula¬ 
tion relation. The latter, because of its algorithmic nature, is particularly suited for au¬ 
tomation. Automatic constructions of bisimulations have been widely explored in CIRC 
and we will use this tool to implement our algorithm. This section contains material that 
enables us to soundly use CIRC. We want to stress however that the main result of this 
chapter is the description of a decision procedure to determine whether two expressions 
are equivalent or not. This procedure in turn could be implemented in any other suitable 
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tool or even as a standalone application. Choosing CIRC was natural for us, given the 
pre-existent work on bisimulation constructions. 

In short, CIRC is a behavioural extension of Maude [CDE + 07] enabling the coinductive 
definition of infinite data structures by means of the so-called “derivatives” (5$ for the 
case of generalised regular expressions). The prover allows the (automated) reasoning on 
properties of such structures by coinduction (or bisimulation construction). The coinduc¬ 
tive definitions are fed to CIRC in the shape of algebraic specifications which are closely 
related to the original mathematical representations. Once a proof obligation is set, CIRC 
starts the proving mechanism which repeatedly applies the derivatives, and (potentially) 
stops when a bisimulation containing the initial obligation is reached. For more insight 
on CIRC we refer to IIGLR00I RL09 ] and Section [3~4l 

In Section [3~4l we show that the process of generating the ^-coalgebras associated with 
expressions by repeatedly applying 5 v and normalising the expressions obtained at each 
step is closely related to the proving mechanism already existent in CIRC. 

In Section 13.11 we have introduced a (theoretical) framework which, given a functor 
G, allows for the uniform derivation of 1) a language Exp,,., for specifying behaviours 
of ^-systems, and 2) a coalgebraic structure on Exp^, which provides an operational 
semantics to the set of expressions. In this context, given that CIRC is based on algebraic 
specifications, we need two things in order to reach our final goal: 

- extend and adapt the framework of Section [3TT1 in order to enable the implementa¬ 
tion of a tool which allows the automatic derivation of algebraic specifications that 
model 1) and 2) above, to deliver to CIRC; 

- provide a decision procedure, implemented in CIRC based on an equational entail- 
ment relation, in order to check bisimilarity of expressions. 

In the rest of this chapter we will present the algebraic setting for reasoning on bisim¬ 
ilarity of generalised regular expressions. A brief overview on the parallel between the 
coalgebraic concepts in f SBRlO l and their algebraic correspondents introduced in this 
section is provided later, in Figure [3~2l 

An algebraic specification is a triple £ = (S, E, E ), where S is a set of sorts, E is a S-sorted 
signature and £ is a set of conditional equations of the form (VX) t = t' if(/\ ieJ u t = v ; ), 
where t, t', u h and v ; (i e / - a set of indices for the conditions) are E-terms with 
variables in X. We say that the sort of the equation is s whenever t, t' e £7 Es (X). Here, 
denotes the set of terms of sort s of the E-algebra freely generated by X. If I = 0 
then the equation is unconditional and may be written as (VX) t = t'. 

Let h be the equational entailment (deduction) relation defined as in BGM92] , We write 
£ he whenever equation e is deducible from the equations E in £ by reflexivity, symmetry, 
transitivity, congruence or (conditional) substitutivity (t.e., whenever E he). 

The algebraic specification of generalised regular expressions is built on top of definitions 
based on grammars in Backus-Naur form (BNF), such as (13.11) and (13.21) . Next we intro¬ 
duce the general technique for transforming BNF notations into algebraic specifications. 

The general rule used for translating definitions based on BNF grammars into algebraic 
specifications is as follows: each syntactical category and vocabulary is considered as a 
sort and each production is considered as a constructor operation or a subsort relation. 
For instance, according to the grammar (13.ID of non-deterministic functors, we have a 
sort SltName - representing the vocabulary of join-semilattices B, a sort AlphName - for 
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the vocabulary of the alphabets A, a sort Functor - associated with the syntactical category 
of the non-deterministic functors <3, a subsort relation SltName<Functor representing the 
production ( .§ ::= B, and constructor operations for the other productions. 

Generally, each production A::= rhs gives rise to a constructor (rfrs) —»(A), the direction 
of the arrow being reversed. For instance, for grammar (13.11) . the production C S\:= Id is 
represented by a constant (nullary operation) Id: —* Functor, and the sum construction by 
the binary operation 

_ <&_ : Functor Functor —» Functor. 

Remark 2 Note that the above mechanism for translating BNF grammars into algebraic 
specifications makes use of subsort relations for representing productions such as ::= B. 
This is because CIRC works with order-sorted algebras, and we want to keep the algebraic 
specifications of non-deterministic functors as close as possible to their implementation in 
CIRC. 

The algebraic specifications of coalgebras of generalised regular expressions are defined 
in a modular fashion, based on the specifications of: 

- non-deterministic functors (^); 

- generalised regular expressions (e e Exp (;? ); 

- “transition" functions (5^); 

- “structured" expressions (a e j^fExp^), for all & ingredients of <$). 

Moreover, recall that for a non-deterministic functor ( S, bisimilarity of ^-expressions is de¬ 
cided based on the relation lifting ( .§ over “structured" expressions in ^(Exp^) (see (12.2D 
in Section 12321) . Therefore, the deduction relation h has to be extended to allow a re¬ 
stricted contextual reasoning over “structured" expressions in •T'fExp^), for all ingredients 
& of C S. 

The aforementioned algebraic specifications and the extension of F are modelled as fol¬ 
lows. 

The algebraic specification of a non-deterministic functor includes: 

- the translation of the BNF grammar (13.ID . as presented above; 

- the specification of the functor ingredients, given by a sort Ingredient and a con¬ 
structor Functor Functor^* Ingredient (according to Definition l3.1.1D : 

- the specification of each alphabet A = {a,,..., a,,} occurring in the definition of C S\ 
this consists of a subsort A< Alph, a constant ag. —»A for i e 1, n, and a distinguished 
constant A of sort AlphName used to refer the alphabet in the definition of the 
functor; 

- the specification of each semilattice B = {{b 1 ,..., b n }, V, _I_ B ) occurring in the def¬ 
inition of <$■. this consists of a subsort B < Sit, a constant bp. —» B for i e 1,n, a 
distinguished constant B of sort SltName used to refer the corresponding semilat¬ 
tice in the definition of the functor, and the equations defining V and _L B (this should 
be one of the bf s); 

- an equation defining ‘S (as a functor expression). 
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The algebraic specification of generalised regular expressions consists of: 

- (according to the BNF grammar in Definition 13.1. 2D a sort Exp representing ex¬ 
pressions e, FixpVar the sort for the vocabulary of the fixed-point variables, and 
Sit the sort for the elements of semilattices. Moreover, we consider constructor 
operations for all the productions. For example, the production e ::= e ® e is rep¬ 
resented by an operation _ © _ : Exp Exp — > Exp, and e ::= px.y is represented by 
/i_._ : FixpVar Exp —» Exp. (We chose not to provide any restriction to guarantee 
that y is a guarded expression, at this stage in the definition of p_._. However, 
guards can be easily checked by pattern matching, according to the grammars in 
Definition l3.1.2D : 

- the specification of the substitution of a fixed-point variable with an expression, 
given by an operation _[_/_]: Exp Exp FixpVar —» Exp and a set of equations, one 
for each constructor. For example, the equations associated with 0 and © are: 
0[e/x] =0, and respectively, (e : ©e 2 )[e/x] = (^[e/x]) © (£ 2 [e/x]), where e,e 1 ,e 2 
are ^-expressions and x is a fixed-point variable; 

- the specification of the type-checking relation in Definition l3.1.31 given by an oper¬ 
ation _ :_ : Exp Ingredient —» Bool and an equation for each inference rule defining 
this relation. For example the rule 

\- e 1 \ ^ < ‘S he 2 : ^<1 ® 
h Cj ffi e 2 : S' < ‘S 

is represented by the equation e x © e 2 : & < = e i : & < *8 A e 2 : & < ^ ■ The type¬ 

checking operator is used in order to verify whether the expressions checked for 
equivalence are well-typed (Definition l3.1.4D . Moreover, note that for the consis¬ 
tency of notation, algebraically we write e: & < <£ to represent expressions e of type 
&<< 8 . 


The algebraic specification of 5 v consists of: 

- the specification of the coalgebra of ^-expressions 5% given by three operations 

5_(_): Ingredient Exp —» ExpStruct 
Empty: Ingredient^ ExpStruct 

PZus_(_,_): Ingredient ExpStruct ExpStruct—> ExpStruct; 

- equations describing the definitions of these operations as in f SBRIO l. 

As mentioned above, the set of ^-expressions is provided with a coalgebraic structure 
given by the function 5%: Exp^ —> ^(Exp^), where C S{ Exp^) can be understood as the 
set of expressions with structure given by ^ (and its ingredients). The set of structured 
expressions is defined by the following grammar: 

cr ::= e\b \ {a,a) \ | k 2 (cr) | _L | T | A.(a, & < <g,cr) | {a} (3.5) 

where e e Exp^ and b e B. The typing rules below give precise meaning to these ex¬ 
pressions. Note that X, T are two expressions coming from = i#, <B> ^ 2 , used to denote 
underspecification and overspecification, respectively. 

The associated algebraic specification includes: 
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- a sort ExpStruct representing expressions a (from ^(Exp^), with & < ^), and one 
operation for each production in the BNF grammar (13.51) . Note that the construction 
c £, cr) has as coalgebraic correspondent a function / e j£" A (Exp^), and is 
defined by cases as follows: 


A.(a, & < C S, cr)(a') = if (a = a') then a else Empty ^ <IS ; 


- the extension of the type-checking relation to structured expressions, defined by: 
b b: B < ^ b e: Id « ^ 

hbe B(Exp c £) fee ld(Exp ^) 


hie J^J^Exp^) 


hT e ^"j^^CExp <$) 


b a e ^(Exp 1 ^) _ _ 

b k ; (cr) e ^^^(Exp &) 


b <j 1 e ^fExplH) b cr 2 e J^(Exp ‘S') 

l- (o-i,cr 2 ) e J 2 ) x J^fExp C S) 


b cr e ^"(Exp ^), aeA 
b A.(a, & < <$, cr) e ^ A (Exp ^) 


b a e ^"(Exp <$) 
b {cr} e 5^^(Exp ^) 


and specified by an operation _ e _(Exp_): ExpStruct Functor Functor —> Bool 
(where we used a mix-fix notation) and an equation for each of the above infer¬ 
ence rules. For example, the first rule has associated the equation b e B(Exp 'ft') = 
b : B < ( S. For consistency of notation, we write a e ,^(Exp,^) to denote that cr is an 
element of ^(Exp^). 


Remark 3 In terms of membership equational logic (MEL) HBJMOO i/ . both & <<3 and 
^(Exp^) can be thought of as being sorts and, for example, e: ^ as a membership 

assertion. Even if MEL is an elegant theory, we prefer not to use it here because this implies 
the dynamic declaration of sorts and a set of assertions for such a sort. The above approach 
is generic and therefore more flexible. 


As previously hinted at the beginning of this section, in order to algebraically reason on 
bisimilarity of ^-expressions in CIRC, one has to extend the deduction relation b to allow 
a restricted contextual reasoning on expressions in .^(Exp^), for all ingredients & of a 
non-deterministic functor ( S. We call the extended entailment b VDF . 

The aforementioned restriction refers to inhibiting the use of congruence during equa¬ 
tional reasoning, in order to guarantee the soundness of CIRC proofs. This is realised 
by means of a freezing operator, which intuitively behaves as a wrapper on the expres¬ 
sions checked for equivalence, by changing their sort to a fresh sort Frozen. This way, 
the hypotheses collected during a CIRC proof session cannot be used freely in contextual 
reasoning, hence preventing the derivation of untrue equations (as illustrated in Exam¬ 
ple (3T47T]) . 

We further show how the freezing mechanism is implemented in our algebraic setting, 
and define b NDF . 

Let £ be an algebraic specification. We extend £ by adding the freezing operation ,s —» 
Frozen for each sort s e E, where Frozen is a fresh sort. By [7] we represent the frozen 
form of a E-term t, and by \e\ a frozen equation of the shape (VX)[T| = [P] if c. Note 
that, according to HRL09 I, conditions c need not to be frozen, as their (so-called visible) 
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sort does not allow their collection into the set of CIRC hypotheses. The entailment 
relation h is defined over frozen equations following llRL09il ; more details are provided 
in Section [3~4l 

Recall that a relation R c Exp^ x Exp^ is a bisimulation if and only if (s, t) e R => 
5^ < c # (t)) € “^(R). Here, ^(R) c ^(Exp^) x ^(Exp^) is the lifting of the re¬ 
lation R c Exp fJ - x Exp^, defined as 


m = i)(x), »(7T 2 )(x)) | V e »(R)} • 

So, intuitively, reasoning on bisimilarity of two expressions (e, s') in R reduces to checking 
whether the application of o uj maps them into ^(R). 

Therefore, checking whether a pair (s 5 , t 5 ) is in ^(R) consists in checking, for example for 


the case of ^ = ( S 1 x ^ 2 , whether (s®, t®) e ^(R) and (s®, t 2 ) e %(R), where s 5 = (sj,s|) 
and t 5 = (tj, t|). In an algebraic setting, this would reduce to building an algebraic 
specification <? and defining an entailment relation b VDF such that one can infer 8 b NDF 
(this is the algebraic correspondent we consider for ((sj,s|), {t x , t|)) e 

(Or (Sy,ty)€ 




^(R)) by showing b 


NDF 


(or (s®, t®) e % (R)) and <? b 


NDF 


<? 2 (R)). We hint that the aforementioned algebraic specification 8 consists of 8, s and a set 
of frozen equations (see Corollary |3.3.4D . 

The entailment relation \- NDF for reasoning on bisimilarity of ^-expressions is based on 
the definition of ( S. 


3.3.1 Definition. The entailment relation b NDF is the extension of b with the following 
inference rules, which allow a restricted contextual reasoning over the frozen equations 
of structured expressions: 


6 NDF °T 

= CT 'i 

VDF 

cr 2 = £j' 

HVDF 

(o'i,ct 2 > 

= K,^) 

^ NDF fFl- O’' 

i e 1,2 

6 ndf 

k,(cr) 

= 

fcfCcr') 


^NDF\fM\ = \gi a )\, f or M a ^ A 


h NDF [71 —[FI 


^NDF 


= 


,..., <% b NDF 

<7,r 


< 

^NDF 

{cr 1 ,...,c7 n } 

= 




{iij---.it} = {1, - - -,n} 
= {!,■■■,m} 


(3.6) 

(3.7) 

(3.8) 

(3.9) 


Remark 4 Note that the extension of the entailment relation b to b NJ)F implies that 
8<g\~ e iff 8y b NDF e holds, for any equation e of shape [e7] = [£ 2 ] or e \ = e 2 > with s l , e 2 
non-structured expressions. Below, we will use the notation b NDF E, where E is a set of 
possibly frozen equations, to denote V eeF ■ 8, s b N£ , F e. 

It is interesting to recall the relation lifting for the powerset functor which is encoded in 
the last rule of Definition l3.3.1l A pair (17, V) is in ^.^(R) if and only if for every u e U 
there exists a v e V such that (u, v) belongs to ^(R) and, conversely, for every v e V, there 
exists a u e U such that ( u , v) belongs to ^(R). 
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Remark 5 As already hinted (and proved in Corollary I3.3.4P . reasoning on bisimilarity 
of expressions in a binary relation R c Exp^ x Exp^ reduces to showing that 5y(s) = 


5%(t) is a h NDF -consequence, for all (s, t) e R. The equational proof is performed in a “top- 


down" fashion, by reasoning on the subsequent equalities between the components of the 
corresponding structured expression 5^(s), 5^(t) in an inductive manner. This is realised by 
applying the inverted rules (13.6P - ([3.9P . 

Moreover, note that rule (13.9P is not invertible in the usual sense; rather any statement 
matching the form of the conclusion can only be proved by some instance of the rule. 


We will further formalise the connection between the inductive definition of ( .§ (on the 
coalgebraic side) and \~ NDF (on the algebraic side) in Theorem l3.3.21 hence enabling the 
definition of bisimulations in algebraic terms, in Corollary |3.3.41 

Remark 6 Equations in <% (built as previously described in this section) are used in the 
equational reasoning only for reducing terms of shape op (t 1 ,...,t n ) according to the def¬ 
inition of the operation op. For the simplicity of the proofs of Theorem 13.3.21 and Corol¬ 
lary ^. 3. 4\ whenever we write op(t 1; ..., t n ), we refer to the associated term reduced accord¬ 
ing to the definition of op. 


First we introduce some notational conventions. Let ^ be a non-deterministic functor and 
R c Expt # x Exp^. We write: 


- R id to denote the set R u {(e, e) \ £<# h e: = true}; 

- cl(R) for the closure of R under transitivity, symmetry and reflexivity; 

- [r] to represent the set (J cGR {[e]J; (application of the freezing operator to all elements 
of R) 

- 5^ < <g(e = e') to represent the equation 5^ < ^(e) = 5^ < ^(e'); 

- ^uiasa shorthand for (S, E,£U {[7] = [7] | (e, s') eR}), where S% = (S, E, E); 

- (o, o') e ^(R) as a shorthand for: (o, o') is among the enumerated elements of a 
set S explicitly constructed as an enumeration of the finite set ^(R) (in the algebraic 
setting, ( S(R.) is a subset of .3^Ex P Struct x ^.ExpStmctand &,# h ( S(R) = S). 


3.3.2 Theorem. Consider a non-deterministic functor Let 3F be an ingredient of ( S, Ra 
binary relation on the set of <g-expressions, and o, o' e ^(Exp^). 


a) If ^ is not a constant functor, then (a, o') e &(cl(R id )) iff u® N DF m= 

b) If <3 is a constant functor B, then (o, o') e B(cl(R id )) iff <% h NDF [cr] = \o'\ . 


o 


In order to prove Theorem l3.3.2l a) we introduce the following lemma: 


3.3.3 Lemma. Consider 
<3-expressions. If (e, s') e cl(R id ) then u [R] h 


a non-deterministic functor and R a binary relation on the set of 

N DF E] = . 


Proof. The proof is trivial, as equality is reflexive, symmetric and transitive. 
We are now ready to prove Theorem l3.3.2l 
Proof (Theorem l3.3.2P . 
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- Proof of Theorem l3.3.21 a). 


“ => The proof is by induction on the structure of CP. 

Base case: 

* CP = B. It follows that (cr, o') is of shape (b, b) where b e B, therefore 
<% U 0 \~ ndf 0 = 0 holds by reflexivity. 

* & = Id. In this case (a,cr') e cZ(R id ) = ld(cZ(R id )), so the result follows 
immediately by Lemma 13.3.31 

Induction step: 

* ^ = ^ 2 . Obviously, o = (o l ,o 2 ) and o' = (cr(,cr'}, where ( cr 1 ,o , 1 ) e 

& 1 (cl(R id )') and ( o 2 ,o ') e ^ 2 (cl(R id )). Therefore, by the induction hy¬ 
pothesis, both <% U m BjVDF 





L>1 

— 

CT 1 


and 


NDF 


hold. 

Hence, acco rding to t he definitio n of b WI)F (see (13.61) 1. we conclude that 
U 01 A/XJi 7 |(o~i"o' 2 )| = |(°' / 1 ,cd,)| holds. 


* The cases & = ^ ^ 2 , ^ and = S? W CP' are handled in a similar 

way. 

“ <= ”. We proceed also by induction on the structure of CP. Moreover, recall 
that the observations in Remark[ 6 ]hold (for each of the subsequent cases). 

Base case: 

* CP = B. In this case (cr, o ') is of shape (b, b'), where b, b' are two elements 

of the semilattice B. Also, recall that ‘C 7 ^ B, therefore, the equations (of 
type ^ / .^(Exp, f )) in R are not involved in the equational reasoning. 

We deduce that 0] = 0] is proved by reflexivity, hence (£>, b') = (b, b) € 
B(cZ (fly)). 

* & = Id. Note that for this case, cr, cr' are expressions of the same type with 
the expressions in R. We further identify two possibilities: 

•0 = 03 is proved by reflexivity. Therefore (cr, o') e {(e, e) | e:^ < ( S] c 

R id C d(R !d ) = Td(cZ(R ld )). 

• The e quat ions in 0 are used in the equational reasoning U 0 C NDF 
0 = 03- In addition, the freezing operator inhibits contextual rea¬ 
soning, therefore 0] = 03 is proved according to the equations in 
0, based on the symmetry and transitivity of \~ NDF . In other words, 
(a,a')ecZ(R id ) = ld(cZ(R ;d )). 

Induction step: 

* & = x <P 2 . Obviously, due to their type, the equations i n R are n ot 

u 0] B NDF 


involved in the equational reasoning. Therefore, 


<or,cr 2 ) 


(cr', o' 2 ) is a consequence of the inverted rule (13.61) . More explicitly, it 

and 


follows that Sc e U0 h 


NDF 





Ol 

— 

CT i 


NDF 


must hold. 


By the induction hypothesis, we deduce that (cr^cr') e ^ 1 (cZ(R id )) and 
( o 2 , o ' 2 ) e ^ 2 (cZ(R id )). So by the definition of x CP 2 we conclude that 
«oh, o 2 ), {o[,o' 2 )) = (cr, o ') ejfjX CP 2 {R). 





















3.4. Deciding bisimilarity in CIRC 


33 


* The cases CP = CP^, CP = (CPff" and & = follow a similar 

reasoning. 

- Proof of Theorem 13.3.21 b). It follows immediately by the definition of B and Re¬ 
mark \6\ 


Remark 7 For a more intuitive justification on the distinction of constant/non-constant 
functor in Theorem 13.3.21 note that in CIRC, proof obligations [T] = [jb] of a type (sort) 


that serves as “base case” in the co-recursive definitions are not collected as hypotheses dur¬ 
ing a proof session. Hence, in the context of <3-expressions, whenever <3 = B, the hypotheses 
set R is empty. Consequently, a corresponding obligation [e] = {ej}of type B is proved only 


according to the equations in 8<g, by applying transitivity, symmetry and reflexivity. 

3.3.4 Corollary. Let ^ be a non-deterministic functor and R a binary relation on the set 
of -expressions. 




a) If <3 is a non-constant functor, then cl(R ;d ) is a bisimulation iff 8% u[r] b NDF 

b) If ‘C is a constant functor B, then cl(R id ) is a bisimulation iff 8^ b NDF 
Proof. 

- Proof of Corollary |3.3.4l a). We reason as follows: 

cl(R id ) is a bisimulation 


m; 


(R) 


<=> (V(e, s') e cl(R ld j).((5^ < ^(e), S^^fV)) e ^(d(R ld )) 
<=> 8m U 


b 


NDF 




<=> 8m U [Pi b 


NDF 


m 


fThm. [RT2l) 
(cl(Rid), b jvdf) 


- Proof of Corollary 13.3. 41 b). It follows immediately by the definition of bisimulation 
relations and according to the observations in Remark[6] 

In Figure [3~2l we briefly summarise the results of the current section, namely, the algebraic 
encoding of the coalgebraic setting presented in I ISBR1Q ]. 


3.4 Deciding bisimilarity in CIRC 

We next describe how the coinductive theorem prover CIRC I ILGCR091 can be used to 
implement the decision procedure for the bisimilarity of generalised regular expressions, 
which we discussed above. 

CIRC can be seen as an extension of Maude with behavioural features and its implemen¬ 
tation is derived from that of Full-Maude. In order to use the prover, one needs to provide 
a specification (a CIRC theory) and a set of goals. A CIRC theory Sft = (S,(£, A),(£, J?)) 
consists of an algebraic specification (S, £, E ), a set A of derivatives, and a set J? of equa- 
tional interpolants, which are expressions of the form e => {e ; | i e 1} where e and e t 
are equations. The intuition for this type of expressions is simple: e holds whenever 
for any i in I the equation e ; holds. In other words, to prove E be one can chose to 
instead prove £ b {e, | i e I}. For the particular case of non-deterministic functors, we 
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coalgebraic 

algebraic 


= true 


{£ e ^£,Expl <§W E e: = true} 

Exp^ 

{£ e ^s.Expl E e: = true} 

Jf(Exp^) 

{o- e ^E.ExpStructl ^E(je Jf(Exp^) = true} 

< <$ • Expjjr < eg * ^(Exp^) 

5(): Ingredient Exp —» ExpStruct 

(o,o')e&(cl(R id )) 

<% F o 
Scg h o' 
<®W u Hi] Ejvj 

Ejvdf 

^"(Exp ^) = true, 

€ ^(Exp ^) = true 
o = o' if <3 ^ B 

or 

o = o' if ^ = B (Thm.l3.3.2D 

cl(R id ) is a bisimulation 

S^u\r\\- N l 

Ejvdf 

if 5 < s<yOty if ^ 7^ B 

or 

5„< W (R) if»=B (Cor. 13. 3. 4D 


Figure 3.2: Non-deterministic functors - coalgebraic vs. algebraic approach 


use equational interpolants to extend the initial entailment relation in a consistent way 
with rules (l3.6D ~ g3.9D . (For more information on equational interpolants see I IGLR10 1). 
A derivative 5 e A is a E-term containing a special variable *:s (i.e., a E-context), where 
s is the sort of the variable *. If e is an equation t = t' with t and t' of sort s, then 
5[e] is 5[t/*:s] = 5[tV*:s]. We call this type of equation a derivable equation. The other 
equations are non-derivable. We write 5[R] to represent {5[e] | e eR}, where R is a set of 
derivable equations, and A[e] for the set {5[e]|5eA appropriate for ej. 

Moreover, note that CIRC works with an extension of the entailment relation h over 
frozen equations (introduced in Section ROT) , with two more axioms, as in HRL091 : 

RURF[e] iff Ehe (3.10) 

EURhG implies E U 5 [R] h 5 [G] for each 5 e A (3.11) 

Above, E ranges over unfrozen equations, e over non-derivable unfrozen equations, and 
R, G over derivable frozen equations. 

Remark 8 Note that the new entailment h NDF extended over frozen equations (in Defini- 
tion \3.3. i~l ) satisfies the assumptions (1 3.1 OP and (1 3. lli . 

CIRC implements the coinductive proof system given in [ RL09 1 using a set of reduction 
rules of the form ( 33,F,G ) =» (33,F',G'), where 33 represents a specification, F is the 
coinductive hypothesis (a set of frozen equations) and G is the current set of goals. The 
freezing operator is defined as described in Section 13.31 Here is a brief description of 
these rules: 

[Done]: (33,F,{}) => ■ 

Whenever the set of goals is empty, the system terminates with success. 
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[Reduce]: (88,F,G U {[e]}) =3- (38, F, G) if U F h [e] 

If the current goal is a F-consequence of ^ U F then \e\ is removed from the set of 
goals. 


[Derive]: (98,F, G U {[¥]}) => (98,F u {\ej}, G u | A[e] | ) if 98 UF \f\e\ 

When the current goal e is derivable and it is not a h-consequence, it is added to 
the hypothesis and its derivatives to the set of goals. 


[Simplify]: 


hF,GU{|6>(e)|}): 


?,F,GU{0( ei ) |ie/}) 


if e => {e f | i e 1} is an equational interpolant from the 
specification and 6: X —» ^(Y) is a substitution. 


[Fail]: (38,F,G U {[e]}) =>failure if 98 UF I \f\e\ A e is non-derivable 

This rule stops the reduction process with failure whenever the current goal e is 

non-derivable and is not a h-consequence of JuF. 

It is worth noting that there is a strong connection between a CIRC proof and the con¬ 
struction of a bisimulation relation. We illustrate this fact and the importance of the 
freezing operator with a simple example. 


3.4.1 Example. Consider the case of infinite streams. The set B" of infinite streams over 
a set B is the final coalgebra of the functor SC = B x Id, with a coalgebra structure given by 
hd and tl, the functions that return the head and the tail of the stream, respectively. Our 
purpose is to prove that O 00 = (OO) 00 . Let z and zz represent the stream on the left-hand 
side and, respectively, on the right-hand side. These streams are defined by the equations: 
frd(z) = 0, tZ(z) = z,hd(zz) = 0, tl(zz) = 0:zz. Note that equations over B like hd(z) = 0 
are not derivable and equations over streams like tl(z) = z are derivable. 

In Figure [3751 we present the correlation between the CIRC proof and the construction 
of the bisimulation relation. Note how CIRC collects the elements of the bisimulation as 
frozen hypotheses. 

Let us analyze what would happen if the freezing operator □ was not used. Suppose 
the circular coinduction algorithm would add the equation z = zz in its unfrozen form to 
the hypotheses. After applying the derivatives we obtain the goals hd(z) = frd(zz), tl(z) = 
tZ(zz). At this point, the prover could use the freshly added equation z = zz, and accord¬ 
ing to the congruence rule, both goals would be proven directly, though we would still 
be in the process of showing that the hypothesis holds. By following a similar reasoning, 
we could also prove that 0°° = l 00 ! In order to avoid these situations, the hypotheses 
are frozen, (i.e., their sort is changed from Stream to Frozen) and this stops the applica¬ 
tion of the congruence rule, forcing the application of the derivatives according to their 
definition in the specification. Therefore, the use of the freezing operator is vital for the 
soundness of circular coinduction. 


Next, we focus on using CIRC for automatically reasoning on the equivalence of C S- 
expressions. As we will show, the implementation of both the algebraic specifications 
associated with non-deterministic functors and the equational entailment relation de¬ 
scribed in Section 13.31 is immediate. Given a non-deterministic functor we define a 
Cl RC theory 98 ^ = (S, (E, A), (F, J?)) as follows: 

- (S,E, F) is gy 

- A = {5^ < ^(*:Exp)}, so the only derivable equations are those of sort Exp. As we 
have already seen for the example of streams, equations of sort Sit must not be 
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CIRC proof 


(add goal z = zz .) 

<jO fCTigd) 

0 0 0 

(SM, {0 = HE}) 

F = 0; z ~ zz ? 

[Derive] f [ 

frd(z) 

hd{zz ) ] 

) 

F = {(z,zz)}; zz VJ y 

tm- 

-tlizz) 

[Reduce] . r 

ran 

F = {(z,zz)}; z ~ (zz)' ? 

[ Derive i f ^ f hhih ] f 

hd{z~) 

= hd(0:zz] 


F = {(z,zz),(z,(zz) / )}; (Z ; ) ^ ZZ 


tm 

= tZ(0:zz) 

jj 

[Reduce] f ( |zl=[zz| ) 

1 ’ 1 I 

A _ 

F = {(z,zz), (z, (zz)')} xd 


Bisimulation construction 


Figure 3.3: Parallel between a CIRC proof and the bisimulation construction 


derivable. Since we have the subsort relation Sit < Exp, we avoid the application 
of the derivative 5^ < ^(*:Exp) over equations of sort Sit by means of an interpolant 
(see below). 

- J consists of the following equational interpolants , whose role is to replace current 
proof obligations over non-trivial structures with simpler ones: 


< 0 - 1 , cr 2 ) = (a[, a' 2 ) => {q-j = o\, a 2 = a' 2 } (3.12) 

fci(o-) = fc ; (cj') => {(7 = a'} (3.13) 

f =g => {/(a) = g(a) I a (3.14) 

= => KeM( V jel^i =C 7 j) 

A jei^Cv te i^ai=ap} (3.15) 

together with an equational interpolant 

t = t' => {t~t' = true} (3.16) 


where ~ is the equality predicate equationally defined over the sort Sit. The last 
interpolant transforms the equations of sort Sit from derivable (because of the sub¬ 
sort relation Sit < Exp) into non-derivable and equivalent ones. 


The interpolants (13. 12143TT61) in J? extend the entailment relation h VDF (introduced in 
Definition l3.3.1D as follows: 


E h NDP {e ; | ie/} 


if e => {e t | i e 7} in 


E E NDF e 
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3.4.2 Theorem (Soundness). Let <3 be a non-deterministic functor, and G a binary rela¬ 
tion on the set of <3-expressions. 

If (08y,F o = 0, G 0 = [g]) => (08^,F n ,G n = 0) using [Reduce], [Derive] and [Simplify], then 
G c~^. 

Proof. The idea of the proof is to find a bisimulation relation F s.t. G c F. 

First let F be the set of hypotheses (or derived goals) collected during the proof session. 
We distinguish between two cases: 

a) ^ = B. For this case, the set of expressions in G is given by the following grammar: 

e:: = 0|b|e©£| px.e. (3.17) 


Note that the goals e = e' in G are proven 

1 . either according to [Simplify], applied in the context of the equational inter- 
polant (13.161) . If this is the case, then e = e' holds by reflexivity, therefore 


<4 'NDF 


J B<B 


(«0 


' B<iB 


( £ 0 


(3.18) 


also holds; 

2. or after the application of [Derive], case in which 


u [E] h NDP 5 B<B (e) 


5b<b( £/ ) bolds. Note that 5 B<B (e) and 5 B<B (e') are reduced to b, respectively 
b' e B, according to (13.171 ) and the definition of 5 B<B . Consequently, the non- 


derivable (due to the subsort relation B < Sit) goal [77] = [77] holds by reflexivity, 
so the following is a sound statement: 


r NDF 


<5b«b( £ ) — ^ B <b( £ 0 


(3.19) 


Based on (I3.18D . (I3.19D and Corollary 13.3.41 b). we conclude that F = cZ(G id ) is a 
bisimulation, hence G c d(G id ) c 


b) <3 7 ^ B. Based on the reduction rules implemented in CIRC, it is quite easy to see 
that the initial set of goals G is a \~ NDP -consequence of u[f]. In other words, G c 
cZ(F id ). So, if we anticipate a bit, we should show that F = cl(F [d ) is a bisimulation, 
i.e., according to Corollary 13.3.41 03y u \V\ \~ NDF 5c ?< ^(F). This is achieved by 
proving that u[f] \- ndf G^i e 0, n) (note that 5 <S< ^{F) c |Jieo7i G ‘’ according 
to [Derive]). The proof is by induction on j, where n — j is the current proof step, 
and by case analysis on the CIRC reduction rules applied at each step. 


We further provide a sketch of the proof. 

The base case j = n follows immediately, as 08% u[f] \~ ndf G n = 0. 

For the induction step we proceed as follows. Let \e\ e G ; . If [e] e G ;+1 then 03^ u 
[f] \~ ndf [e] by the induction hypothesis. If \e\ G ;+1 then, for example, if [Reduce] 

was applied then it holds that 5^uF ; \~ NDF \e\. Recall that Fj c [f], so ^^u[f] \~ ndf \e\ 
also holds. The result follows in a similar fashion for the application of [Derive] or 
[Simplify], 
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Remark 9 The soundness of the proof system we describe in this chapter does not follow 
directly from Theorem 3 in l\RL09I . This is due to the fact that we do not have an experiment- 
based d efinition of bisimilarity. So, even though the mechanism we use for proving U 
IF] b NDF (for the case ^ / B ) is similar to the one described in I RL09 I. the current 


soundness proof is conceived in terms of bisimulations (and not experiments). 


Remark 10 The entailment relation b NDF that CIRC uses for checking the equivalence of 
generalised regular expressions is an instantiation of the parametric entailment relation h 
from the proof system in HRL09H . This approach allows CIRC to reason automatically on a 
large class of systems which can be modelled as non-deterministic coalgebras. 

As already stated, our final goal is to use CIRC as a decision procedure for the bisimilarity 
of generalised regular expressions. That is, whenever provided a set of expressions, the 
prover stops with a yes/no answer with respect to their equivalence. In this context, an 
important aspect is that the sub-coalgebra generated by an expression e e Exp^ by repeat¬ 
edly applying o r/l is, in general, infinite. Take for example the non-deterministic functor 
SF = B x Id associated with infinite streams, and consider the property /rx.0ffi r(x) = 
px.r(x). In order to prove this, CIRC builds an infinite proof sequence by repeatedly 
applying 5 y as follows: 

5 y (px.® © r(x}) = 5 y (px.r(x }) 

I 

{0,0 © (px.0 © r(x))) = (0 ,px.r(x)) 


5^(0 © (px.0 © r(x))) = 5 y (px.r(x }) 

i 

(O,0©0©(jUX.0© r(x))) = {0,px.r(x)) [...] 

In this case, the prover never stops. We observed in Section [3721 that Theorem[3jC5] guar¬ 
antees we can associate a finite coalgebra to a certain expression. In the proof of the 
aforementioned theorem, which is presented in I SBRIOl . it is shown that the axioms for 
associativity, commutativity and idempotency (ACI) of © guarantee finiteness of the gen¬ 
erated sub-coalgebra (note that these axioms have also been proven sound with respect 
to bisimulation). ACI properties can easily be specified in CIRC as the prover is an exten¬ 
sion of Maude, which has a powerful matching modulo ACUI (ACI plus unity) capability. 
The idempotence is given by the equation e © e = e, and the commutativity and asso¬ 
ciativity are specified as attributes of ©. It is interesting to remark that for the powerset 
functor termination is guaranteed without the axioms, because the coalgebra structure 
on the expressions for the powerset functor already includes ACI (since P? 0J (Ey.p) is itself 
a join-semilattice). 

3.4.3 Theorem. Let G be a set of proof obligations over generalised regular expressions. 
CIRC can be used as a decision procedure for the equivalences in G, that is, it can decide 
whenever a goal (sq, e 2 ) is a true or false equality. 

Proof. Note that as proven in IISBRIOll . the ACI axioms for © guarantee that 5y is ap¬ 
plied for a finite number of times in the generation of the sub-coalgebra associated with 
a ^-expression. Therefore, it straightforwardly follows that by implementing the ACI ax¬ 
ioms in CIRC (as attributes of ffi), the set of new goals obtained by applying 5% is finite. 
In these circumstances, whenever CIRC stops according to the reduction rule [Done], the 
initial proof obligations are bisimilar. On the other hand, whenever it terminates with 
[Fail], the goals are not bisimilar. 
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3.5 A CIRC-based Tool 


We have implemented a tool that, when provided with a functor ( S, automatically gen¬ 
erates a specification for CIRC which can then be used in order to automatically check 
whether two ^-expressions are bisimilar. 

The tool is implemented as a metalanguage application in Maude. It can be downloaded 
from the address http://goriac.info/tools/functorizer/. In order to start the 
tool, one needs to launch Maude along with the extension Full-Maude and load the down¬ 
loaded file using the command in functorizer.maude . 

The general use case consists in providing the join-semilattices, the alphabets and the 
expressions. After these steps, the tool automatically checks if the provided expressions 
are guarded, closed and correctly typed. If this check succeeds, then it outputs a speci¬ 
fication that can be further processed by CIRC. In the end, the prover outputs either the 
bisimulation, if the expressions are equivalent, or a negative answer, otherwise. 

We present two case studies in order to emphasise the high degree of generality for the 
types of systems we can handle, and show how the tool is used. 


3.5.1 Example. We consider the case of Mealy machines, which are coalgebras for the 
functor (B x ld) A . 

Formally, a Mealy machine is a pair (S, a) consisting of a set S of states and a transition 
function a: S —> (B x S) A , which for each state seS and input a e A associates an output 


value b and a next state s'. Typically, we write a(s)(a) = (b,s') <=> 0- 


a\b 


In this example and in what follows we will consider for the output the two-value join- 
semilatice B = {0,1} (with _L B = 0) and for the input alphabets = {a, b}. The expressions 
for Mealy machines are given by the grammar: 


E ::= 0 | x | E©E | px.E 2 | a(r(E)) \ b(r{E )) | afi^)) | b(Z(E!» 
E 1 ::=0|E 1 ©E 1 |0| 1 

E 2 ::= 0 I E 2 ©E 2 j px.E 2 | a(r(E» | b(r(E» | a(Z(E 1 » | b(Z(Ej) 


Intuitively, an expression of shape a(Z(E 1 )) specifies a state that for an input a has an 
output value specified by E 1 . For example, the expression a(Z(l)) specifies a state that 
for input a outputs 1, whereas in the case of a(Z(0}) the output is 0. An expression 
of shape a(r(E}) specifies a state that for a certain input a has a transition to a new 
state represented by E. For example, the expression px.a(r(x)) states that for input a, 
the machine will perform a “a-loop" transition, whereas a(r(0}) states that for input a 
there is a transition to the state denoted by 0. It is interesting to note that a state will 
only be fully specified in what concerns transitions and output (for a given input a if 
both a(Z(Ej)) and a(r(E)) appear in the expression (combined by ©). In the case only 
transition (respectively, output) are specified, the underspecification is solved by setting 
the target state (respectively, output) to 0 (respectively, ± B = 0). 4k 

Next, to provide the reader with intuition, we will explain how one can reason on the 
bisimilarity of two simple expressions, by constructing bisimulation relations. Later on, 
we show how CIRC can be used in conjunction with our tool in order to act as a decision 
procedure when checking equivalence of two expressions, in a fully automated manner. 
We will start with the expressions e 1 = px.a(r(x)) and e 2 = 0. We have to build a bisim¬ 
ulation relation R on ^-expressions, such that (s 1 ,e 2 ) e R. We do this in the following 
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way: we start by taking R = {(e 1; e 2 )} and we check whether this is already a bisimulation, 
by considering the output values and transitions and check whether no new expressions 
appear in this process. If new pairs of expressions appear we add them to R and repeat 
the process. Intuitively, this can be represented as follows: 



R = {Oh, e 2 )} 


R= {Oi,e 2 ),(£ 2 ,£2)} 



not yet in R; add it 



sf 


R 


Figure 3.4: Bisimulation construction 


In the figure above, and as before, we use the notation ty-e 2 to denote ( e 1 ,e 2 ) e 

R. As illustrated in Figure [3~4l R = {{ei,e 2 ),(e 2 ,£ 2 )} is closed under transitions and is 
therefore a bisimulation. Flence, gq e 2 . 

The proved equality 0 = px.a(r(x}) might seem unexpected, if the reader is familiar with 
labelled transition systems. The equality is sound because these are expressions specifying 
behaviour of a Mealy machine and, semantically, both denote the function that for every 
non-empty word outputs 0 (the semantics of Mealy machines is given by functions B A , 
intuitively one can think of these expressions as both denoting the empty language). This 
is visible if one draws the automata corresponding to both expressions (say, for simplicity, 
the alphabet is A = {a}): 

^4 0 px.a(r(x}) 

a|0 a|0 


Note that (i) the 0 expression for Mealy machines is mapped with 5 to a function that 
for input a gives (0,0), which represents a state with an a-loop to itself and output 0; 
(ii) the second expression specifies explicitly an a-loop to itself and it also has output 0, 
since no output value is explicitly defined. Now, also note that similar expressions for 
labelled transition systems (LTS’s), or coalgebras of the functor Y", would not be 
bisimilar since one would have an a-transition and the other one not. This is because the 
0 expression for LTS’s really denotes a deadlock state. In operational terms they would be 
converted to the systems 


0 


i ux.a(x) 



which now have an obvious difference in behaviour. 

By performing a similar reasoning as in the example above one can show that the expres¬ 
sions e 1 = jLix.a(r(x}) © b(r(x)) and e 2 = px.a(r(x)) are bisimilar, and the bisimulation 
relation is built as illustrated in Figure [331 
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R= {Oi,e 2 )} 


x a|0 

e l e 

a|0,b|0 

a|0,h|0 C~"£ 1 


a|0 


b|0 


not yet in R; add it 


e 2 0 R= {(<?!, e 2 ), (e l3 0)} 

—^ a|0,b|0 

0 a|0,b|0 sf 


Figure 3.5: Bisimulation construction 

Let us further consider the Mealy machine depicted in Figure 13.61 where all states are 
bisimilar. 




a|0 ( f J ) b |1 a|0 f (J*2) ) b |1 

Figure 3.6: Mealy machine: s 1 ~s 2 


We show how to check the equivalence of two expression characterising the states Si and 
s 2 , in a fully automated manner, using CIRC. These expressions are e x = px.b(/(l)) © 
b[r{e 2 )) © a(py.a(r(y)) © b(r(e 2 )) © b(l{ 1))) and e 2 = fj.x.b{l{ 1)) © b(r(x)) © a(r{x}), 
respectively. 

In order to check bisimilarity of c, and e 2 we load the tool and define the semilattice 
B = {0,1} and the alphabet A = {a, b }: 

Cjslt B is 0 1 bottom 0.0v0 = 0.0vl = l.lvl = l. endjslt) 

(alph A is a b endalph) 

We provide the functor using the command (functor (B x Id)''A .). The command (set 
goal... .) specifies the goal we want to prove: 


(set goal 

\mu X:FixpVar . b(l<l>) (+) a(l<0>) (+) b(r<X:FixpVar>) (+) 
a(r<X:FixpVar>) = 

\mu X:FixpVar . b(l<l>) (+) b(<\mu X:FixpVar . b(l<l>) (+) 
b(r<X:FixpVar>) (+) a(r<X:FixpVar>)>) (+) 
a(\mu Y:FixpVar . a(r<Y:FixpVar>) (+) 
b(<\mu X:FixpVar . b(l<l>) (+) a(l<0>) (+) 
b(r<X:FixpVar>) (+) a(r<X:FixpVar>)>) (+) b(l<l>)) .) 

In order to generate the CIRC specification we use the command (generate coalgebra .). 
Next we need to load CIRC along with the resulting specification and start the proof 
engine using the command (coinduction .). 

As already shown, behind the scenes, CIRC builds a bisimulation relation that includes the 
initial goal. The proof succeeds and the output consists of (a subset of) this bisimulation: 

Proof succeeded. 

Number of derived goals: 2 
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Number of proving steps performed: 50 
Maximum number of proving steps is set to: 256 

Proved properties: 

- phi (+) (\mu X . a(l<0>) (+) a(r<X>) (+) b(Kl>) (+) b(r<X>)) = 
phi (+) (\mu Y . a(r<Y>) (+) b(l<l>) (+) 

b(r<\mu X . a(l<0>) (+) a(r<X>) (+) b(l<l>)(+)b(r<X>)>)) 

- \mu X . a(l<0>) (+) a(r<X>) (+) b(l<l>) (+) b(r<X>) = 

\mu Z . a(r<\mu Y . a(r<Y>) (+) b(l<l>) (+) 

b(r<\mu X . a(l<0>) (+) a(r<X>) (+) b(l<l>) (+) b(r<X>)>)>) (+) 

b(l<l>) (+) b(r<\mu X . a(l<0>) (+) a(r<X>) (+) 

b(l<l>) (+) b(r<X>)>) 


For the ease of understanding, here we printed a readable version of the proved prop¬ 
erties. In Section l3.5.11 however, we show that internally each expression is brought to 
a canonical form by renaming the variables. Moreover, note that in our tool, 0 is repre¬ 
sented by the constant phi. All the examples provided in the current section make use of 
this convention. 

As previously mentioned, CIRC is also able to detect when two expressions are not 
equivalent. Take, for instance, the expressions px.a(Z(0}) © a(r(a(Z( 1)) © a(r(x}))) and 
a(Z(0}) © a(r(a(r(px.a(r(x)) © a(Z(0)))) © a(Z(l))}), characterising the states and s 3 
from the Mealy machines in Figure 13.71 After following some steps similar to the ones 
previously enumerated, the proof fails and the output message is Visible goal [...] failed 
during coinduction. 



Figure 3.7: Mealy machines: Sj /s 3 


3.5.2 Example. Next we show how to check strong bisimilarity of non-deterministic pro¬ 
cesses of a non-trivial CCS-like language with termination, deadlock, and divergence, as 
studied in ||AH92ll . A process is a guarded, closed term defined by the following grammar: 


P ::= C\5\n\a.P\P + P\x\px.P (3.20) 

where: 

- •/ is the constant for successful termination, 

- 5 denotes deadlock, 

- Q is the divergent computation (i.e., the undefined process), 

- a.P is the process executing the action a and then continuing as the process P, for 
any action a from a given set A, 

- P 1 + P 2 is the non-deterministic process behaving as either P 1 or P 2 , and 
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- jjix.P is the recursive process P[fix.P/x]. 

In IISBR101I is is shown that, up to strong bisimilarity, the above syntax of processes is 
equivalent to the canonical set of (guarded, closed) regular expressions derived for the 
functor 1 *9> a W, 


E ::= 0 [ £©£ \ x \ fix.E | Z[E X ] | r[E 2 ] 

E 1 ::= 0 | E a © Ej | 1 

E 2 ■■= 0 I E 2 © E 2 j a(E 3 ) 

E 3 ::= 0 | E 3 © E 3 | {E} 

The translation map (—) T from processes to expressions is defined by induction on the 
structure of the process: 


(^) f 

= l[ 1] 

C a-py 

= r[a({P f })] 

(5) f 

= r[0] 

iPi+p 2 y 

= (P 1 ) t ©(P 2 )' 

(fi) f 

X 1 

= 0 

= X . 

ipx.pf 

= /rx.P f 


Consider now two processes P and Q over the alphabet A = {a, b }: 

P = fj,x.(a.x + a.P 1 + b.b V + b.(5 + fi)) 

Q = [j,z.(a.z + b.(5 + b.S) + b.5) 

where P 3 = py.(a.(y+5)+b.5 + b.(5 + bV)+5). Graphically, the two processes can be rep¬ 
resented by the following labelled transition systems (for simplicity we omit annotating 
states with information regarding the satisfiability of successful termination, divergence, 
and deadlock): 




Figure 3.8: Non-deterministic processes: Q ~ P 

We want to check if the process P is strongly bisimilar to the process Q. By using the 
above translation, process P is represented by the expression 

px.(r[a({/iy.(r [a({y 0 r[0]})] © r[b({r [0]})]© 

r[b({r[0]©r[b«Z[l]})]})]©r[0])})]© 
r[a({x})] © r[b({r[b({Z[l]})]})] © r[b({r[0] © 0})]) 

whereas process Q is represented by the expression 


/xz.(r[a({z})] © r[b«r[0] © r[b«Z[l]})]})] © r[b«r[0]})]). 


4 
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In order to use the tool, one needs to specify the semilattice, the alphabet, the functor, 
and the goal in a manner similar to the one previously presented: 

(jslt B is 1 bottom 1 . 1 v 1 = 1 . endjslt) 

(alph A is a b endalph) 

(functor B + (P Id) ~A .) 

(set goal \mu X:FixpVar . 

r[ a( { X:FixpVar } ) ] (+) 
r[ a( { \mu Y:FixpVar . 

r[ a( { Y:FixpVar (+) r[ phi ] } ) ] (+) 
r[ b( { r[ phi ] > ) ] (+) 

r[ b( { r[ phi ] (+) r[ b( { 1[ 1 ]})]>) ] (+) 

r[ phi ] 

} ) 

] ( + ) 

r[ b( { r[ b( { 1[ 1 ]>)]>) ] (+) 

r[ b( { r[ phi ] (+) phi > ) ] 

\mu Z:FixpVar . 

r[ a( { Z:FixpVar } ) ] (+) 

r[ b( { r[ phi ] (+) r[ b( { 1[ 1 ]>)]}) ] (+) 

r[ b( { r[ phi ] > ) ] .) 

For the generated specification CIRC terminates and outputs a positive result: 

Proof succeeded. 

Number of derived goals: 15 

Number of proving steps performed: 58 

Maximum number of proving steps is set to: 256 


Proved properties: 

- r [phi] ( + ) (\mu Y. r [phi] (+) r[a({r[phi] (+) Y})] (+) r [b({r [phi] >)] 
(+) r [b({r [phi] (+) r [b({l [1] })] »]) 

\mu Z. r[a({Z»] (+) r [b({r [phi] »] (+) r[b({r[phi] (+) r [b({l [1] })] })] 

- r[b({l[l]»] = r[phi] ( + ) r[b({l[l]»] 

- \mu Y. r [phi] (+) r[a({r[phi] ( + ) Y»] (+) r [b({r [phi]»] (+) 

r [b({r [phi] (+) r [b({l [1] »] »] 

\mu Z. r[a({Z»] (+) r [b({r [phi] »] (+) r[b({r[phi] (+) r [b({l [1] })] })] 

- \mu X. r[a({X>)] (+) r[a({\mu Y. r [phi] (+) r[a({r[phi] ( + ) Y})] (+) 
r [b({r [phi] })] (+) r[b({r[phi] ( + ) r [b({l [1] })]})] })] (+) 

r [b({r [phi] + phi})] ( + ) r [b({r [b({l [1] })] })] 

\mu Z. r[a({Z»] (+) r [b({r [phi] })] (+) r[b({r[phi] (+) r [b({l [1] })] })] 


3.5.1 Implementation 

In this section we present details on the implementation of the algebraic specification 
given in Section [3731 based on the examples from Section 1331 

In order to generate the algebraic specifications for CIRC when provided a functor and 
two expressions, we used the Maude system [CDE + 07|. We choose it for its suitability for 
performing equational and rewriting logic based computations, and because of its reflec¬ 
tive properties allowing for the development of advanced metalanguage applications. As 
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the technical aspects on how to work at the meta-level are beyond the scope of this paper, 
we refrain from presenting them and show, instead, what the generated specifications 
consist of. 

Most of the algebraic specifications from Section 13.31 have a straightforward implemen¬ 
tation in Maude. Consider, for instance, the case of Mealy machines presented in Exam¬ 
ple [333] The generated grammars for functors (13.11) and expressions (Definition [333]) 
are coded as: 


sort Functor . 

sorts AlphName SltName . 

subsort SltName < Functor . 


op 

A : 

-> AlphName . 

op 

B : 

-> SltName . 

op 

G : 

-> Functor . 

op 

Id 

-> Functor . 

op 

_+_ 

: Functor Functor -> Functor 

op 


: Functor AlphName -> Functor 

op 

_x_ 

: Functor Functor -> Functor 


sorts Exp ExpStruct Alph Sit . 
subsort Exp < ExpStruct . 
enum A is a b . enum B is 0 1 
subsort A < Alph . 
subsort B < Sit . 

op _‘( +< )_ : Exp Exp -> Exp . 
op : Alph Exp -> Exp . 

op \mu_._ : FixpVar Exp -> Exp 
ops 1<_> r<_> : Exp -> Exp . 
op phi : -> Exp . 


eq G = (B x Id) ~ A . 

Most of the syntactical constructs are Maude-specific: sorts and subsort declare the sorts 
we work with and, respectively, the relations between them; op declares operators; eq 
declares equations (the equation in our case defines the shape of the functor G). The only 
CIRC-specific construct, enum, is syntactic sugar for declaring enumerable sorts, i.e., sorts 
that consist only of the specified constants. As a side note, if brackets ((, [, {) are used in 
the declaration of an operation, then they must be preceded by a backquote (‘). 

As mentioned in Section 13.11 in order to guarantee the finiteness of our procedure, one 
needs to include the ACI axioms for (+). Moreover, we have observed that the unity 
axiom for (+) plays an important role in decreasing the number of states generated by 
the repeated application of 5<#, therefore improving the overall time performance of the 
tool. For example, the number of rewritings CIRC performed in order to prove the 
bisimilarity of e x and e 2 in Figure [331 was halved when the unity axiom was used. 

By turning on the axiomatisation flag using the command (axioms on .), the following code 
is generated: 

op _‘(+‘)_ : Exp Exp -> Exp [assoc comm] . 
eq E:Exp (+) E:Exp = E:Exp . 
eq E:Exp (+) phi = E:Exp . 

It is an obvious question why not to add other axioms to the tool, since the unity axiom 
has improved performance. At this stage we have not studied in detail how much adding 
other axioms would help. It is in any case a trade-off on how many extra axioms one 
should include, which will get the automaton produced from an expression closer to the 
minimal automaton, and how much time the tool will take to reduce the expressions in 
each step modulo the axioms. For classical regular expressions, there is an interesting 
empirical study on this flORT09 1. We leave it as future work to carry on a similar study 
for our expressions and axioms. 

The process of substituting fixed-point variables has a natural implementation. We present 
the equations handling the basic expressions 0 and x, and the operation (+): 
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op [_/_ c ] : Exp Exp FixpVar -> Exp . 
eq phi [ E:Exp / X:FixpVar ] = phi . 

ceq Y:FixpVar [ E:Exp / X:FixpVar ] = E:Exp if (X:FixpVar == Y:FixpVar) . 
eq Y:FixpVar [ E:Exp / X:FixpVar ] = Y:FixpVar [owise] . 
eq (El:Exp (+) E2:Exp) [ E:Exp / X:FixpVar ] = 

(El:Exp [E:Exp / X:FixpVar]) (+) (E2:Exp [E:Exp / X:FixpVar]) . 

In order to avoid matching problems and to overcome the fact that in Maude one cannot 
handle an equation that has fresh variables in its right-hand-side (i.e., they do not appear 
in the left-hand-side), we replace expression variables with parameterised constants: op 
var : Nat -> FixpVar . The operation that obtains this canonical form has an inductive defi¬ 
nition on the structure of the given expression and makes use of the substitution operation 
presented above. For this reason, the bisimulation CIRC builds contains parameterised 
constants instead of the user declared variables. The property proved in Example 13.5.21 
is, therefore, written as: 

\mu var(2) . r[a({var(2)})] (+) r[a({\mu var(l) . r [phi] (+) 
r [a({r [phi] ( + ) var(l)})] (+) r [b({r [phi]»] ( + ) r[b({r[phi] ( + ) 

r[b({l[l] })]})]})] (+) r [b({r [phi] ( + ) phi})] ( + ) r [b({r [b({1 [1] })] })] 

\mu var(1) . r[a({var(1)})] (+) r [b({r [phi]})] (+) 

r [b({r [phi] ( + ) r [b({l [1] })] })] 

The most important part of the algebraic specification consists of the equations defining 
the operations 5_(_), Plus_(_, _), and Empty. Most of these equations are implemented as 
presented in 1SBR10 1. The only difficulties we encountered were for the exponentiation 
case, as Maude does not handle higher-order functions. Without entering into details, as a 
workaround, we introduced a new sort Function < ExpStruct and an operation \. : ExpoCase 
Alph Functor ExpStruct -> Function in order to emulate function-passing. The first argument 
is used to memorize the origin where the exponentiation ingredient is encountered: 5, 
Plus, or Empty. Its purpose is purely technical - we use it in order to avoid some internal 
matching problems. The other three parameters are those of the structured expression 
cr) presented in Section l3]3l a letter in the alphabet, an ingredient, and some 
other structured expression. 

Another thing worth describing is the way we enable CIRC to prove equivalences when 
the powerset functor occurs. Namely, we present how interpolant (13.151) is implemented. 
Recall that we want to show that two sets of expressions are equivalent, which means 
that for each expression in the first set there must be an equivalent one in the second set 
and vice-versa. 

In order to handle sets of structured expressions we introduce a new sort, ExpStructSet as 
a supersort for ExpStruct. We also consider the set separator : ExpStructSet ExpStructSet 
-> ExpStructSet [assoc,comm], the empty set emptyS : -> ExpStructSet, and the set wrapping 
operation {_} : ExpStructSet -> ExpStruct. In order to mimic universal quantification over 
a set, we use a special constant referred to as token “[/]”. In what follows, we consider 
two variables of sort ExpStructSet: ES and ES’, and two variables of sort ExpStructSet: ESS 
and ESS’. We now describe the process of finding the equivalence between two sets: 

- whenever encountering two wrapped expression sets we add the universal quantifi¬ 
cation token to each of them in two distinct goals: 


srl {ESS} = {ESS’} => {[/] ESS} = {ESS’} /\ {ESS} = {[/] ESS’} . 
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- iterate through the expressions on the left-hand-side (similarly for the other direc¬ 
tion) : 

srl {[/] (ES , ESS) } = {ESS’} => 

{[/] ES} = {ESS’} /\ {[/] ESS} = {ESS’} . 
srl {ESS} = {[/] (ES’ , ESS’)} => 

{ESS} = {[/] ES’} /\ {ESS} = {[/] ESS’} . 


- when left with one expression on the left-hand-side, start iterating through the 
expressions on the right-hand-side until finding an equivalence (similarly for the 
other direction): 

srl {[/] ES} = {ES’ , ESS’} => ES = ES’ \/ {[/] ES} = {ESS’} . 
srl {ES , ESS} = {[/] ES’} => ES = ES’ \/ {ESS} = {[/] ES’} . 


- if no equivalence has been found, transform the current goal into a visible failure: 

srl {ESS} = emptyS => true = false . 
srl emptyS = {ESS} => true = false . 

Finally, the type checker for structured expressions has a straightforward implementation. 
Its code does not appear in the generated specification as it is only used when the tool 
receives the expressions as input. This prevents obtaining the specification and starting 
the prover in case invalid expressions are provided. 


3.6 Discussion 


In this chapter we provided a decision procedure for the bisimilarity of generalised reg¬ 
ular expressions. In order to enable the implementation of the decision procedure, we 
have exploited an encoding of coalgebra into algebra, and we formalised the equivalence 
between the coalgebraic concepts associated with non-deterministic coalgebras [ SERI 0 1 
and their algebraic correspondents. This led to the definition of algebraic specifications 
(<%) that model both the language and the coalgebraic structure of expressions. More¬ 
over, we defined an equational deduction relation (h NDF ), used on the algebraic side for 
reasoning on the bisimilarity of expressions. 

The most important result of the parallel between the coalgebraic and algebraic ap¬ 
proaches is given in Corollary |3.3.41 which formalises the definition of the bisimulation 
relations in algebraic terms. Actually, this result is the key for proving the soundness of 
the decision procedure implemented in the automated prover CIRC ILGCR09 1. As a coin- 
ductive prover, CIRC builds a relation F closed under the application of 5^ with respect 
1 U [f] h NDF 


to h 


NDF 




5^(F)), hence automatically computing a bisimulation the initial 


proof obligations belong to. 

The approach we present in this chapter enables CIRC to perform reasoning based on 
bisimulations (instead of experiments HRL09H ). This way, the prover is extended to check¬ 
ing bisimilarity in a large class of systems that can be modelled as non-deterministic coal¬ 
gebras. Note that the constructions above are all automated - the (non-trivial) CIRC 
algebraic specification describing <%, together with the interpolants implementing \- NDP 
are generated with the Maude tool presented in Section 1331 












Chapter 4 

Decorated trace and testing semantics coalgebraically 


The study of behavioural equivalence of systems has been a research topic in concurrency 
for many years now. For different kinds of systems, several types of behavioural equiva¬ 
lences and preorders have been proposed throughout the years, each suitable for use in 
different contexts of application. 

In Chapter [3] we showed how (co) algebras can be used in order to model and reason on 
bisimilarity of expressions describing non-deterministic systems. 

The focus of this chapter is on a suite of other semantics of interest for labelled tran¬ 
sition systems (LTS’s), generative probabilistic systems (GPS’s) and labelled transition 
systems with divergence. More explicitly, we consider decorated trace semantics including 
ready, failure, (complete) trace, possible-futures, ready trace and failure trace for LTS’s, 
as described in f vGOla l and ready, (maximal) failure and (maximal) trace for GPS’s, as 
introduced in HJS9QH . For the case of divergent LTS’s, the emphasis is on must and may 
testing semantics I Cl 189 1. 

In short, our approach consists in providing a coalgebraic modelling of the aforemen¬ 
tioned systems and their semantics. The latter are derived by employing the generalised 
powerset construction I SBBR13 I and proved equivalent with their counterparts as de¬ 
fined in [ CH89i IvGOlal 1JS90 I. This further allows reasoning on the corresponding no¬ 
tions of behavioural equivalence/preorder in terms of (Moore-) bisimulations. 

We further provide the intuition behind decorated trace and testing semantics. 

At the left-hand side of Figure 14711 we illustrate the hierarchy (based on the coarseness 
level) among bisimilarity, ready, failure, (complete) trace, possible-futures, ready trace 
and failure trace semantics for LTS’s, as introduced in HvGOlall . On the right-hand side a 
similar hierarchy is depicted for bisimilarity, ready, (maximal) failure and (maximal) trace 
semantics for GPS’s, as in |jJS90ll . For example, for both types of systems, bisimilarity 
(the standard behavioural equivalence on ,^-coalgebras) is the finest of the semantics, 
whereas trace semantics is the coarsest one. Moreover, note that for the case of GPS’s, 
maximality does not yield more distinguishing power and ready and failure semantics are 
equivalent. 

In order to get some intuition on the type of distinctions the equivalences above encom- 
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US’s: 

bisimilarity 


possible-futures 


GPS’s: 
bisimilarity 
ready < > (max.) failure 


ready trace 

failure trace ready 


failure 

l 

complete trace 

4 

trace 


(max.) trace 


Figure 4.1: Lattices of semantic equivalences for LTS’s and GPS’s. 


pass, consider the following LTS’s: 



>\ ‘1 1 ‘ 

• •• •• •• • 

None of the top states of the systems above are bisimilar. The state p is the only one 
among the four in which an action a can lead to a deadlock state, whereas q, r and s have 
a different branching structures. 

The traces of the states p, q, r and s are { a,ab, ac}, and therefore they are all trace equiv¬ 
alent. Of the four states above, q and r and s are complete trace equivalent as they can 
execute the same traces that lead to states where no further action are possible, whereas 
p is the only state that can trigger a and terminate. 

Ready (respectively, failure) semantics identifies states according to the set of actions they 
can (respectively, fail to) trigger immediately after a certain trace has been executed. 
None of the states above are ready equivalent; for example, after the execution of action 
a, process p can reach a deadlock state whereas q has always to choose between actions 
b and c. Orthogonally, only r and s are failure equivalent. 

Possible-futures semantics identifies states that can perform the same traces w and, more¬ 
over, the states reached by executing such w’s are trace equivalent. None of the states 
above are possible-futures equivalent. For example, after triggering action a, p can reach 
a deadlock state (with no further behaviour) whereas q can execute the set of traces {b, c}. 
Ready (respectively failure) trace semantics identifies states that can trigger the same 
traces w and the (pairwise-taken) intermediate states determined by such w’s are ready 
(respectively refuse) to trigger the same sets of actions. None of the systems above is 
ready trace equivalent. For example, after performing action a, process q reaches a state 
that is ready to trigger both b and c, whereas r cannot. The analysis on failure trace 
equivalence follows a similar reasoning, but different results. 

The corresponding semantic equivalences in Figure R~T] distinguish between p,q,r and s 
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as summarised in the table below: 



p.q 

P,r 

p,s 

qy 

q,s 

r,s 

bisimilarity 

X 

X 

X 

X 

X 

X 

trace 

•S 

y 

y 

y 

y 

y 

complete trace 

X 

X 

X 

y 

y 

y 

ready 

X 

X 

X 

X 

X 

X 

failure 

X 

X 

X 

X 

X 

y 

possible-futures 

X 

X 

X 

X 

X 

X 

ready trace 

X 

X 

X 

X 

X 

X 

failure trace 

X 

X 

X 

X 

X 

y 


where •/ to stands for a “yes” answer with respect to the behavioural equivalence of two 
of the states p, q, r and s, whereas x represents a “no” answer. 

Intuitively, GPS’s resemble LTS’s, with the difference that each transition is labelled by 
both an action and the probability of that action being executed. For more insight on 
decorated trace semantics for GPS’s, consider the following systems: 


P' 

i“w 





b[l-x] 


c[lll 


ld[ 1 ] 



a[l—*] 


fcH4 lb[l] 


c[l4 


l*U] 


In the setting of GPS’s, decorated trace semantics take into consideration paths w which 
can be executed by a probabilistic process p. Reasoning on the corresponding equiva¬ 
lences is based on the sum of probabilities of occurrence of such w’s that, for example, 
lead p to a set of processes, for the case of trace semantics, or to a set of processes that 
(fail to) trigger the same sets of actions as a first step, for ready (respectively, failure) 
semantics. 

In I1JS90I1 a notion of maximality was introduced for the case of trace and failure se¬ 
mantics. Intuitively, the former takes into consideration the probability of a process p to 
execute a certain trace w and terminate, whereas the latter takes into consideration the 
largest set of actions p fails to trigger as a first step after the execution of w. However, it 
has been proven in HJS90I that maximality does not increase the distinguishing power of 
decorated trace semantics and, moreover, ready and failure equivalence of GPS’s coincide. 
With respect to (maximal) trace semantics, amongst the systems above, p' and q' are 
equivalent: they have the same probability of executing traces w e {e,a,ab,abc,abd}. 
Moreover, each such w leads p' and q' to sets of processes S ,, S 2 ready to fire the same 
actions. Consequently, S, and S 2 fail to trigger the same sets of actions as a first step. 
Hence, p' and q' are both ready and maximal failure equivalent at the same time. None 
of the processes above are bisimilar: the corresponding states reached via transitions la¬ 
belled a (with total probability 1) display different behaviour as they either have different 
branching structure, or can trigger different actions. 

Orthogonally, as previously stated, in this chapter we also focus on providing a coalgebraic 
modelling of must and may testing semantics for divergent LTS’s. 

Intuitively, in the setting of testing semantics, fixed a set of tests, two systems are deemed 
to be equivalent if they pass exactly the same tests. With concurrent non-deterministic 
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processes, a system may pass a test in some, but not all, its executions. This leads to the 
definitions of may testing (a system may pass a test in some execution) and must testing 
(a system must pass a test in all its executions). 

However, alternative trace-based characterisations of must and may testing were pro¬ 
vided in |i CH891 |DH84l IHen88tt . Intuitively, must testing preorder abstracts from infinite 
internal computations. It relates two processes p and q only if, for each trace w, when¬ 
ever p does not engage in divergent behaviour in its attempt to execute w, then so does 
q. Moreover, q has to be “less non-deterministic” than p - a property established based 
on the inclusion of the acceptance (ready) sets associated with q and p, respectively. Two 
processes are must equivalent whenever the must preorder relates them in both direc¬ 
tions. May testing preorder (respectively, equivalence) coincides with the usual language 
inclusion (respectively, equality). 

Consider for an example the following two systems, where t is used to represent an 
internal computation step: 



Processes p and q cannot be related in terms of the must testing semantics. On the one 
hand, q does not diverge with respect to action d, whereas p diverges. On the other hand, 
p is less non-deterministic than q, as the ready set {{b, c}} of p after performing action a is 
not included in the ready set {{£>}, {c}} of q. However, p and q are may testing equivalent 
as they both execute the same sets of (visible) traces {e, a, d, ab, ac}. 

In this chapter we show how decorated trace, must and may testing semantics can be 
recovered in a coalgebraic setting by employing the generalised powerset construction 
in PSBBR13 1. The derived coalgebraic characterisations leads to canonical representa¬ 
tives in terms of final Moore automata which further enabled reasoning by constructing 
bisimulations witnessing the desired notion of behavioural equivalence/preorder. More¬ 
over, as we also saw in the previous chapter, this result is interesting from the point of 
view of tool development as well: construction of bisimulations is known to be particu¬ 
larly suitable for automation. 

It is also interesting to observe that the spectrum of decorated trace semantics in Fig¬ 
ure 14.11 can be recovered from our coalgebraic modelling. The procedure is briefly sum¬ 
marised in Section [431 for the case of failure and complete trace semantics for LTS’s, and 
ready and trace semantics for GPS’s, respectively. 

Organisation of the chapter. In Section 14.11 and Section 14.21 we show how the powerset 
construction can be applied for determinising LTS’s and GPS’s, respectively, in terms of 
Moore automata ( X,f: X —» B x X A ), in order to coalgebraically characterise the corre¬ 
sponding decorated trace semantics. Here we also prove that the obtained coalgebraic 
models are equivalent to the original definitions, and illustrate how one can reason about 
decorated trace equivalence by constructing (Moore) bisimulations. A compact overview 
on the uniform coalgebraic framework is given in Section [431 Section 1431 discusses that 
the canonical representatives of LTS’s and GPS’s we obtain coalgebraically coincide with 
the corresponding minimal automata one would obtain by identifying all states equivalent 
with respect to a particular decorated trace semantics. In Section R31 we show that the 
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spectrum of decorated trace semantics can be obtained from the coalgebraic modelling. 
A coalgebraic modelling of may and must testing semantics, respectively, is provided in 
Section 14.61 by exploiting extensions of trace and failure semantics, respectively, to the 
context of LTS’s with internal behaviour. Finally, Section 14771 contains a summary of the 
results in this chapter. 


4.1 Decorated trace semantics of LTS’s 


In this section, our aim is to provide a coalgebraic view on decorated trace equivalences 
of labelled transition systems (LTS’s). We use the generalised powerset construction and 
show how one can determinise arbitrary LTS’s obtaining particular instances of Moore 
automata (with different output sets) in order to model ready, failure, (complete) trace, 
possible-futures, ready trace and failure trace equivalences. This paves the way to build¬ 
ing a general framework for reasoning on decorated trace equivalences in a uniform 
fashion, in terms of bisimulations (up-to context). 

Note that our results are derived in the context of image finite LTS’s, in accordance with 
the setting proposed in llvGOlal . An LTS is a pair (X,5) where X is a set of states and 
5: X —» (?? 0J X) A is a function assigning to each state and to each label a e A a finite 

set of possible successors states. We write x y whenever y e 5(x)(a). We extend 
the notion of transition to words w = a, ... a n e A' as follows: x —> y if and only if 
For w = e, we have x —* y if and only if y = x. 

The coalgebraic characterisation of ready, failure and (complete) trace was originally 
obtained in I SBBR13 1. We recall it here, with a slight adaptation which will be useful for 
the generalisations we will explore. Given an arbitrary LTS 

(X,5:X-(^X) A ), 

one constructs a decorated LTS, which is a coalgebra of the functor (X) = B , f x (g? 0J X) A . 
More precisely, we construct 

(X, {d J ,5):X^B J x^xf\ 


where the output operation 

°j» : X —* Bj? 

provides the observations of interest (the decorations) corresponding to the original LTS 
and depending on the equivalence (j*0 we want to study. Note that both the output 
operation and its codomain are parameterised by ,0. 

Then, the decorated LTS is determinised as depicted in Figure [4721 according to the power- 
set construction summarised in diagram (12. 7D in Section [231 Recall that the generalised 
powerset construction is applied in the framework of coalgebras / : X —» <^T(X) for a 
functor & and a monad T, with 4£T{X) a T -algebra. Intuitively, monads are used to hide 
computational effects such as non-determinism, whereas the requirement that J 2 " T(X) is 
an algebra for T guarantees the unique extension of / to a T -algebra homomorphism /■* 
representing a new coalgebra with state space hiding the computational effects. Conse¬ 
quently, this extension enables reasoning on .^-equivalence in the coalgebra /’, rather 
than reasoning on the (finer) J2T-equivalence in the coalgebra /. 

For the case of decorated LTS’s, we instantiate T with the powerset monad (5^,i7,p) such 
that p(x) = {x} and p(I/) = (J s eU S ; , and & with = B^x (0 ^(—)) A . Moreover, ^T(X) 
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carries a T -algebra structure, that is a semilattice, as 2?{X) and B r/ are a semilattices (as 
we shall see later, for each of the semantics Jf), and product and exponentiation preserve 
the algebra structure. We will see that this extension enables shifting from reasoning 
on bisimilarity of decorated LTS’s to reasoning on the (coarser) language (trace) equiv¬ 
alence. Note that the semilattice structures ensure the existence of least upper bounds, 
which further enable the definition of = (o, t) and [[—]] as semilattice morphisms. In 
Figure [4~2l we use |_| to denote both the operation of Bj and the union of subsets in S? 0J X. 



- - -> 

(£,(-)„> 


°Q0 = |_| y ey Pl(6) = o(y) 

t(T)(a) = |_| yey 5(y)(a) [[y](aw)= [\J yeY 5(y)(a)] (w) 


Figure 4.2: The powerset construction for decorated LTS’s. 


The coalgebraic modelling of possible-futures semantics could easily be recovered by fol¬ 
lowing a similar approach. However, for the case of ready and failure trace semantics 
the transition structure of the LTS also needs to be slightly modified before the deter- 
minisation. This consists in changing the alphabet A to include additional information 
represented by sets of actions ready to be triggered as a first step. Consequently, to each 
LTS ( X , 5: X —» (^xy 1 ) a unique coalgebra (X, (o 5: X —» (.3 a „X) / ')) is associated, de¬ 
fined in a natural fashion, as we will present later on. The construction in Figure R~2l is 
then applied on (X, (oj, <5)). 

The explicit instantiations of o ? and B 0 are provided later in this section, where we will 
also show that the coalgebraic modelling in fact coincides with the original definitions of 
the corresponding equivalences. This was not formally shown in I SBER13 L for any of 
the aforementioned semantics. 

The coalgebraic modelling of decorated trace semantics enables the definition of the cor¬ 
responding equivalences as Moore bisimulations URutOOH (be., bisimulations for a functor 
M = Bj? x X A ). This way, checking behavioural equivalence of x 1 and x 2 reduces to 
checking the equality of their unique representatives in the final coalgebra: [[{^iID and 

0* 2 D • 

In the subsequent sections we a) prove the details on the coalgebraic modelling of ready, 
failure, (complete) trace, possible-futures, ready trace and failure trace semantics, b) 
show that the corresponding representations coincide with their original definitions in 
f vGOla l and c) demonstrate, by means of examples, how the associated coalgebraic 
framework can be used in order to reason on (some of) the aforementioned equivalences 
in terms of Moore bisimulations. 
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4.1.1 Ready and failure semantics 

In this section we show how the ingredients of Figure [4721 can be instantiated in order to 
provide a coalgebraic modelling of ready and failure semantics. We also prove that the 
resulting coalgebraic characterisations of these semantics are equivalent to their original 
definitions in HvGOlal . Moreover, we provide an optimisation that can be used when 
reasoning on failure equivalence, based on the isomorphism of downsets and antichains. 
Consider an LTS (X, 5: X —» (^xy 4 ) and define, for a function <p: A —* the set of 

actions enabled by <p: 

f(vO= {aeA| i/j(u)/0}, (4.1) 

and the set of actions ( p fails to enable: 

Fail(ip) = {Z CA | Zfl%) = 0}. 

For the particular case p = <5(x), I(d(x)) denotes the set of all (initial) actions ready to 
be fired byreX, and Fail(5(x')') represents the set of subsets of all (initial) actions that 
cannot be triggered by such x. 

A ready pair of x is a pair (w, Z) e A* x such that x y and Z = I(5(y)). A failure 
pair of x is a pair (w,Z) e A* x SA W A such that x —> y and Z e Fail(5(y)f We denote 
by 5?(x) and ^"(x), respectively, the sets of all ready pairs and failure pairs, respectively, 
associated with x. 

Intuitively, ready semantics identifies states in X based on the actions a e A they can 
immediately trigger after performing a certain action sequence w e A*, i.e., based on their 
ready pairs. It was originally defined as follows: 

4.1.1 Definition (Ready equivalence iOH86. vGOla l). Let (X, 5: X — * (^xy 4 ) be an 
LTS and xjeX two states. States x and y are ready equivalent (^-equivalent) if and 
only if they have the same set of ready pairs, that is M{x) = M(y), where 

= {(w, Z) eA* x SA W A \ 3x' eX.x -^x'AZ = /(Sfx'))}. «j» 

Failure semantics identifies behaviours of states in X according to their failure pairs. 

4.1.2 Definition (Failure equivalence HvGOlail ). Let (X,5: X (^X) 4 ) be an LTS 

and x,y e X two states. States x and y are failure equivalent (^"-equivalent) if and 
only if J?(x) = ^"(y), where 

nx) = {(w,Z) eA* x SA^A \ 3x’ eX.x -^x'AZ e FaiZ(5(x'))}- A 

The coalgebraic modelling of ready, respectively, failure semantics is obtained in a uni¬ 
form fashion, by instantiating the ingredients of Figure 14.21 as follows. For X e {,:??, }, 

Oj,: X —» 3A a XSAoA) is defined as: 

°se(x) = {/(5(x))} Oj,:(x) = FaiZ(5(x)). 

Intuitively, in the setting of ready semantics, the observations provided by the output op¬ 
eration refer to the sets of actions ready to be executed by the states of the LTS. Similarly, 
for failure semantics, the output operation refers to the sets of actions the states of the 
LTS cannot immediately fire. 
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Remark 11 Observe that the codomain of 6% is 3A b ,{3A 0 ,A), and not SA 0 ,A, as one might 
expect. However, this is consistent with the intended semantics. For Bj = = B# = 

SA W {SA W A), the final Moore coalgebra has carrier (SA 0J (SA C0 A)) a which is isomorphic to SA{A? x 
S? W {A)) the type of d?(x) and ^(x). The unique homomorphism into the final coalgebra will 
associate to each state {x} a function that for each w e A* returns a set containing all sets 
R x > of ready (resp. failed) actions triggered by all x' such that x —> x',for x,x' el. 

Next, we will prove the equivalence between the coalgebraic modelling of ready and 
failure semantics and their original definitions, presented above. More explicitly, given 
an arbitrary LTS (X, 5: X —» {SA W XY) and a state reX, we want to show that [[{x}]] is 
equal to J?(x), for J? e {&,&}, depending on the semantics of interest. However, note 
that the definition of [[—]] is independent of X; the difference is (implicitly) made by the 
output function o^. 

The behaviour of a state x e X is a function O x 0 : A* —>> SA 0 fSA w A), whereas J^(x) is 
defined as a set of pairs in A* x 5A 0) A. We represent the set ^(x) e SA(A* x SA a A) by a 
function , where, for w e A*, 

Vf(w) = {/(5(y))|x^y} 

(w) = {Z C A | x AZ eFad(5(y))}. 

Showing the equivalence between the coalgebraic and the original definitions of ready, 
respectively, failure semantics reduces to proving that 

(Vxel).[{x}]=^. (4.2) 


4.1.3 Theorem. Let (X,5: X —> {SA w X)f) be an LTS. Then for all x e X, we A*, and 

^e{a,niW]W = ^W 

Proof. For ranging over {£%,&}, the proof is by induction on words w e A*. We 
provide the details for the case of ready semantics. A similar reasoning can be applied for 
failure semantics. 

- Base case, w = e. We have: 

OxO (e) = o({x}) = bj,(x) = {/(5(x))} 

vfOO = {f(<5(y)) I x —> y} = {/(5(x))} 


- induction step. Consider w e A* and assume, for all xeX, 0*0(w) = We 

want to prove that 0 X D (aw) = i/>®(aw), where a e A. 


Ifx}](aw) 


Vf(aw) 


[5(x)(a)](w)=[t({x})(a)](w) 

U 0*0 (w)= U 

a a 

X- >Z X - >z 

{f(5(y)) | x ^>y} 
{J(5(y))|x-^zAz-^y} 

U U(5(y)) \ z —> y} 
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4.1.4 Example. In what follows we illustrate the equivalence between the coalgebraic 
and the original definitions of ready semantics by means of an example. Consider the 
following LTS. 

*0“ 

I ° 

c b b d 

Pa Pi-> P 3 -> Ps 

We write a n to represent the action sequence aa...a of length n > 1, with neN. The set 
52 (p 0 ) °f a ll ready pairs associated with p 0 is: 

{{e, {a}), (a", {a}), (a n , {b}), (a" b, {c}), (a n b, {d}), (a"be, 0), (a" bd, 0) | n > 1}. 

We can construct a Moore automaton, for S = {p 0 ,Pi>. • ■ ,p 5 }, 

O^S, (o, t ): - ^(£5^0 x 

by applying the generalised powerset construction on the LTS above. The automaton will 
have 2 6 = 64 states. We depict the accessible part from state {p 0 }, where the output sets 
are indicated by double arrows: The output sets of a state Y of the Moore automaton in 


l a 

{Po>Pi} : > {{a}, {b}} 


{0}4={p 4 l 
Figure 4.3: 


XJ[b 

{P2,Ps} { Ps } *4 {0} 

Ready determinisation when starting from {p 0 }. 


Figure fOl is the set of actions associated with a certain state y e Y which can immediately 
be performed. For example, process p 0 in the original LTS above is ready to perform action 
a, whereas p 1 can immediately perform b. Therefore it holds that o({p 0 }) = {{a}} and 
°({Po>Pi}) = {&}}• 

By simply looking at the automaton in Figure 14.31 one can easily see that the set of 
action sequences w e A* the state {p 0 } can execute, together with the corresponding 
possible next actions equals 52 (p 0 ). Therefore, the automaton generated according to the 
generalised powerset construction captures the set of all ready pairs of the initial LTS. + 


4.1.5 Example. The last example considered in this section shows how the coalgebraic 
framework can be applied in order to reason on failure equivalence of LTS’s. (Checking 
ready equivalence follows a similar approach.) Consider the following two systems. 


Pi <■ 


Ps 


b 


o 


c 


>P 2 


<Zi «■ 
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o 
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Ps 
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K.O- 
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^q 4 z 
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Pi P 8 
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i d 
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P9 

P 10 
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Let Z = {a l ,a 2 ,...,a n } be the set of actions a process fails executing as a first step. For 
the simplicity of notation, we write [a 1 a 2 ... a„] to denote the set of all non-empty subsets 
Z' c z. For example, if Z = {a 1 ,a 2 }, then [a^ 2 ] stands for {{a x }, {a 2 }, {a 1 ; a 2 }}. 

Note that p 0 and q 0 are ^-equivalent, according to Definition 14.1.21 as they have the same 
sets of failure pairs cP(p 0 ) and iP(q n ), respectively, equal to: 

{0, [def]),(b, [abcdef]),[c, [abcdef ])} U {(a", [de/]),(a n , [bde]), 

(i a n b, [abcdef]), ( a n c, [abcdef]), ( a n c, [ abcef ]), (a n c, [ abcdf ]), 

(a n /, [abcdef]), ( a n cd, [abcdef]), ( a n ce, [abcdef]) | n e N, n > 1}. 

The same conclusion can be reached by checking behavioural equivalence of the two 
Moore automata generated according to the powerset construction, starting with {p 0 } 
and {q 0 }. The fragments of the two automata starting from the states {p 0 } and {q 0 } are 
depicted in Figure R~4l at page[58j The states {p 0 } and {q 0 } are Moore bisimilar, since 
their corresponding automata are isomorphic. 



, {PoI_ 


=% [de/] 



C 


{Pi} ^ 

{Po, P 3 , P 4 } 


^{P 2 } 


^ ^ 



[abcdef]/ 

'' [de/]u[bdff] 

sj. abcdef] 

iPi,Ps} 

1 / 

{P2,P6,P?} 


{Psl 


'''■ 



[abcdef]^ 

^ [abcde/]u 


\[abcdef ] 


[abcef] U 



W 

[abcdf] 


{Piol 





[abcdef] 



[abcdef] 


/ {<lo} ^ 


[def] 



c 



{<2o,<23> < 24 } 


^{q 2 } 



X / N 


[abcdef]/ 

/ [def]Li[bdej] 

\[abcdef] 

{<21,95} 

y 

iO.2’ 0.6’ 0.7 } 


iq 8 } 


'''' 


f 

[abcdef]/ 

/ [abcde/]u 


\[abcdef ] 


[abcef] U 



{<2 9 } 

[abcdf] 


{<2ioI 

$ 




[abcdef] 



[abcdef] 


Figure 4.4: Failure determinisation when starting from {p 0 } and {q 0 }. 
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optimisation for failure semantics. In this section we showed how failure semantics 
can be modelled in a coalgebraic setting, by employing the generalised powerset con¬ 
struction. More explicitly, given a state p of an LTS (S,5 :S —> (S? 0J S) A ), we showed how 
to build a (final) Moore coalgebra {S? W S, (o, t): PA 0J S —> (PA J (PZ' 0J )) A ) “capturing” the corre¬ 
sponding set of failure pairs &{$), hence enabling reasoning on failure equivalence in 
terms of Moore bisimulations. 

An optimised, equivalent modelling of failure semantics can be provided by exploiting the 
standard isomorphism between downsets and antichains. As we shall see, this enables 
reasoning on the corresponding equivalence more effectively, based on bisimulations of 
Moore automata with “smaller” output sets consisting of ready actions. 

A downset in is a set D c such that if Z e D and Z'CZ then Z'eD. We 

use y(?A(A)) denote the set of downsets of Note that we can define a semilattice 

(@(^j(A)), u, 0) by taking u as being the union and 0 as the empty set. 

An antichain on (A) is a set I c SPffA) such that if Z e I then there exists no Z' e I 
such that Z' c Z. We use j4{S? w {A$) denote the set of antichains of £3^(A). Note that the 
union of antichains is not necessarily an antichain. However, we can define a semilattice 
on jrf{S?ffA)) by taking the u defined as u I 2 = min (f x u / 2 ) where 

minimi) = {Z eI).Z' CZJ. (4.3) 

Now consider the homomorphisms i: —» j </(^(A)) defined as 


i(F) = min(u FieF {A— F,}) (4.4) 

and j: ^(^,(A)) —> @(5^(A)) defined as 

;C0 = I(u ; ie/ {A-/,}), (4.5) 

where IS denotes the downward closure of a set S. It is easy to see that one homomor¬ 
phism is the inverse of the other and thus the semilattices 2>(5^ (A)) and j?/( 5^(A)) are 
isomorphic. 

At this point, it is worth to observe that for all X e 5^(S), the Moore output function 
o(X) is a downset (since Ojr(x) is a downset for all x, and since the union of downset 
is a downset). Therefore we can safely restrict the codomain of o: P? 0J (S) —* 0^(0^(A)), 
to o: ,%(S) —> Sj(P? 0 j(A)). By exploiting the isomorphism discussed above, we can instead 
define the function o 1 : £5^(S) —> as follows: for all X e^(S) 


OiPO=< 


{/(5(x))} 

0 

mmfcqfX^UOjQ^)) 


if X = {x} with x e S 
if X = 0 
iiX=X 1 UX 2 


4.1.6 Proposition. For all X,Y e %(S), o(X) = o(Y) iff o^X) = o^Y). 


Proof. The proof follows from the fact that o 1 = ioo and that i: ®(5^(A)) — > j^(0^(A)) 
and j: j 2 f( 0 ^(A)) —> ©(£5^,(4)) are isomorphic. □ 


This optimisation can be applied also for the case of failure trace semantics in Sec¬ 
tion 14.1.41 Moreover, as presented in Section 14.6.21 the isomorphism of downsets and 
antichains is used for the coalgebraic modelling of must testing semantics. 
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4.1.2 (Complete) trace semantics 

In this section we model coalgebraically trace and complete trace semantics. Similar to 
the previous section, we also show that the corresponding coalgebraic representations of 
these semantics are equivalent to their original definitions. 

Consider an LTS ( X , 5: X —> Trace semantics identifies states in X according to 

the set of words w e A* they can execute, whereas complete trace semantics identifies 
states x e X based on their set of complete traces. A trace w eh* of x is complete if and 
only if x can perform w and reach a deadlock state y or, equivalently, 

(3yeX).x^yA/(5(y)) = 0. 

The difference between trace and complete semantics is that the latter enables an external 
observer to detect stagnation, or deadlock states of a system. 

Formally, trace and complete trace equivalences are defined as follows. 

4.1.7 Definition (Trace equivalence I Hoa78. vGOlal ). Let {X, 5: X —> (^X) 4 ) be an 
LTS and x,y e X two states. States x and y are trace equivalent (^-equivalent) if and 
only if ^(x) = f7"(y), where 

5-(x)={weA*|]r'eI.x^x'}. (4.6) 


4.1.8 Definition (Complete trace equivalence HAFV99H ). Consider an LTS (X, 5: X — » 

(^X) 4 ) and x,y e X two states. States x and y are complete trace equivalent {^4?- 
equivalent) if and only if x) = c €3'{y'), where 

c €!?{x) = {w eA* | ]x'eX.r^x'M(5(x')) = 01. A 


In what follows we instantiate the constituents of Figure 14.21 in order to provide the 
associated coalgebraic modellings. 

For Jf e {ST, *€£?}, the output function dj: X —» 2 is: 


o^(x)=1 


o v A*) = 


1 if/(5(x)) = 0 

0 otherwise 


Note that, for trace semantics, one does not distinguish between traces and complete 
traces. Intuitively, all states are accepting, so they have the same observable behaviour 
(i.e., b r (ip) = 1), no matter the transitions they perform. On the other hand, complete 
trace semantics distinguishes between deadlock states and states that can still execute 
actions aeA 

Consider, for example, the following LTS: 


Pi <- 


P0 „ P2 


Observe that, for each n > 0, ( ab) n a is a complete trace of p 0 , as 

b 


a b a b 

Po Pi ~* Po P 2 * 


’ Po * Pi 


(4.7) 


where p 1 cannot perform any further action. 







4.1. Decorated trace semantics of US’s 


61 


The above behaviour, described in terms of transitions between states of the Moore au¬ 
tomaton derived according to the generalised powerset construction, can be depicted as 
follows: 

{Po} {Pi.Pi} W {Pi.Pi} W {P1.P2} 

where p 1 is a deadlock state and p 2 is not. 

Intuitively, for n> 0, we can state that (ab) n a is a complete trace of {p 0 }, as the deadlock 
state p 2 e {pi,p 2 } can be reached from {p 0 } by performing ( ab) n a (see (I4.7D ). 

Therefore, given Y 1 ,Y 2 c X and weA* such that Y l Y 2 , we observe that w is a complete 
trace of Y 1 whenever there exists a deadlock state y e Y 2 . Otherwise, w is not a complete 
trace of Y 1 . 

In the coalgebraic modelling, the above observations with respect to the 
(non)stagnating states appear in the definition of the function o: SP 0J (X ) —> 2. Note that, 
for example, o({p 1 ,p 2 }] = 1 and o({p 0 }) = 0 for the case of complete trace equivalence, as 
p 2 is a deadlock state and p 0 is not. For trace semantics we have o({p 1 ,p 2 }) = o({p 0 }) = 1. 
Here, Bj = 2 and the final Moore coalgebra in Figure 14.21 is the set of languages 2 /V 
over A (and the transition structure (e, (—) a ) is simply given by Brzozowski derivatives). 
Therefore, we can state that the map into the final coalgebra associates to each state 
Y e SP^X the set of all traces corresponding to states y e Y, namely, the language: 

L = \J{weA*\(ly'eX).y^y'}. 
yeY 


The set SP (A *) is isomorphic to the set of functions 2 ,v which enables us to represent the 
set in terms its characteristic function ip*: A* —» 2 defined, for J? e {SP, w eA*, 
as follows: 


'Px = 1 if 3y eX. 


■y 


= 


ifdyeX.x-y A J(5(y)) = 0 
otherwise. 


Proving the equivalence between the coalgebraic and the classic definition of (complete) 
trace semantics reduces to showing that 

(VjteX).0*0=^. (4-8) 


4.1.9 Theorem. Let ( X,5: X X y 1 ) be an LTS. Then for all x e X and w e A*, 

Ox}](w) = ^(w). 

Proof. The proof is by induction on words w eA* (similar to the proof of Theorem |4. 1 .~3T ) .□ 

4.1.10 Example. Consider the following two LTS’s: 

a 

W 1 < - W Q jo. W 

Observe that w Q and w' are trace equivalent (according to Definition 14.1. 71 ), as they 
output the same sets of traces 

SP{w 0 ) = = {e} U {a n | n e N, n > 1} 



4 
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o <= {Wo.Wi} # 1 

u 

Figure 4.5: Complete trace determinisation when starting from {w 0 }, {w' Q }. 


but they are not complete trace equivalent (according to Definition I4.1.8D , as w' Q can 
never reach a deadlock state, whereas w 0 can reach the stagnating state w 1 . 

The complete trace determinisation contains the sub-automata starting from states { w 0 } 
and {wg} depicted in Figure 1431 States { w 0 } and {w' Q } are not behaviourally equivalent, 
since {w 0 ,Wj} outputs 1, whereas {w^} never reaches a state with this output. Hence, as 
expected, we will never be able to build a bisimulation containing states {w 0 } and jw'}. 
On the other hand, in the setting of trace semantics, the determinised (Moore) automata 
associated with w 0 and w' respectively, are similar to those depicted in Figure [431 with 
the difference that now all their states output value 1. This makes the aforementioned 
automata bisimilar, hence providing a “yes” answer with respect to ^-equivalence of w Q 
and Wg, as anticipated. 

4.1.3 Possible-futures semantics 

In what follows we provide a coalgebraic modelling of possible-futures semantics and 
show that it coincides with the original definition in HvGOlall . We also give an example 
on how the generalised powerset construction and Moore bisimulations can be used in 
order to reason on possible-futures equivalence. 

Let ( X , 5: X —> (S? W XY) be an LTS. A possible future ofreX is a pair (w, T) e A* x 
such that x —> y and T = d^fy) (where i?(y) is the set of traces of y, as in Section [4.1.2D . 
Possible-futures semantics identifies states that can trigger the same sets of traces weA* 
and moreover, by executing such w, they reach trace-equivalent states. 

4.1.11 Definition (Possible-futures equivalence I RB81 . vGOlall ). Consider an LTS 
(X, 5 : X — » (^xy 1 ) and x,y eX two states. States x and y are possible-futures equivalent 
{S? ^"-equivalent) if and only if 2?&{x) = ^^(y), where 

&&{x) = {(w, T) eA* x ,£P(A*) | 3x' eJi.x-^x'AT = ^(x')}- 1* 

The ingredients of Figure R31 are instantiated as follows. 

The output function o 9 X —* 4? (AAA*), which refers to the set of traces enabled by 
states xeX of the LTS, is defined as 

o*,(x)=mx)}. 

Here, Bj = Bg,& = AAf^A*) and the behaviour of a state x e X in the final coalgebra is 
given in terms of a function [[{x}]]: A* —* APfAPA*)^, which, intuitively, for each w e A* 
returns the set of sets T v of traces corresponding to states y el such that x y. 

Next we want to show that for each xeX, [[{x}]] and ^^(x) coincide. 

First we choose to equivalently represent e aA (A* x AA(A*)) - the set of all possible 

futures of a state x e X - in terms of e (^(^A*)^*, where 

^fW = my)|x-y}, 
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Showing the equivalence between the coalgebraic and the original definition of possible- 
futures semantics reduces to proving that 




(4.9) 


4.1.12 Theorem. Let (X,5: X —* (^xy 4 ) be an LTS. Then for all x e X and w e A*, 
0*0 (w) = v>f*(w). 


Proof. The proof is by induction on w eA* (similar to the proof of Theorem |4.1.3D . □ 


4.1.13 Example. Consider the following LTS’s. 


P 3 

Pa 


P 0 


b 

P 5 

Pb 

Pi 



c i 

C i 

P 9 

P 10 

p 11 

P 12 

d i 

* 4 - 


U 

P 14 

Pis 

P 16 

P17 





<2s 


5 o 


h <h 

yi< 

54 

5s 

q6 \‘ 


5io 

111 

5l2 1 

"1 




<Jl4 

5 15 

516 

5l7 




Note that p 0 and q 0 are possible-futures equivalent, as the traces both can follow are 
sequences w e { a,ab,aa,aab,aac,aacd,aace } and moreover, by triggering the same w 
they reach states with equal sets of traces. The equivalence between p 0 and q 0 can be 
formally captured in terms of a bisimulation relation R on the associated Moore automata 
(generated according to the generalised powerset construction) depicted in Figure [4761 
where 


({P5,P5,P6>P7Mq3,q4>q5,q6}),({P9>Pl0>Pll>Pl2Mq9><ll0>‘lll>‘ll2}), 
({Pl4>Pl6h{qi4,qi6}),({Pl5,Pl7Uqi5,‘?17}) }■ 


It is easy to check that R is a bisimulation, since both automata in Figure H31 are isomor¬ 
phic. (Note that equality of the outputs - which are sets of traces - can be established 
using the framework introduced in Section 14.1.21 ) 
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W > mPo)} 

a -l 

W^=^{P8,Pl3} {Pi. P2} > {^(Pl),^(p 2 )} 

T b b i 

°1<={P4,P5,P6,P7] {P 3 }>W 

l c 

°2<{P9>PlO>Pll.Pl2} 

{0} 4= {p 14 ,p 16 } {P 15 .P 17 } > {0} 


{%} > 

{0}4SHq 8 .qi 3 } {qi,q 2 } > {^(qi),^(q 2 )} 

t b b i 

o[ <= {qs.q^qs.qel {q 7 IM0} 

l c 

°2 ^ {q9.qi0.qil,qi2} 

4 . 

{0} <={qi4.qi6l {qis.qi?} > {0} 


Figure 4.6: Possible-futures determinisation when starting from {p„}, {q 0 }. 

°1 = {^(P4).^(P5).^(P6).^"(P7)}. 0 2 = {^■(P9).^'(Plo).^'(Pll).^(Pl2)}. = 

{^■(qsX^fqJ^CqsX^Cqs)}, o(, = {^(q 9 ),^'(qio),^'(qii),^'(qi 2 )}- 


4.1.4 Ready and failure trace semantics 

In this section we provide a coalgebraic modelling of ready and failure trace semantics 
by employing the generalised powerset construction. Similarly to the other semantics 
tackled so far, we show a) that the coalgebraic representation coincides with the original 
definition in 1 vGQlall and b) how to apply the coalgebraic machinery in order to reason 
on the corresponding equivalences. 

Intuitively, ready trace semantics identifies two states if and only if they can follow the 
same traces w, and moreover, the corresponding (pairwise-taken) states determined by 
such w’s have equivalent one-step behaviours. Failure trace semantics identifies states that 
can trigger the same traces w, and moreover, the (pairwise-taken) intermediate states 
occurring during the execution of a such w fail triggering the same (sets of) actions. 
Formally, the associated definitions are as follows: 


4.1.14 Definition (Ready trace equivalence [ Pnu85 . vGOlal ). Consider an LTS 
( X,5: X —> (^xy 1 ) and x,y e X two states. States x and y are ready trace equivalent 
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(52,7-equivalent) if and only if 52,7(x) = 52,7(y), where 

X&ix) = I Wia 2 ... a n I n e &JA) x(Ax SAjA)f \ 

... a i a 2 a n 

(3x 1 ,...,x n £ X ) . X = X 0 —»X X —>... —> X„ A 

(Vi = 0, ..., n)./* = /(5(x ; )) }. 

We call an element of 52,7(x) a ready trace of x. 4» 

4.1.15 Definition (Failure trace equivalence llPhi87ll ). Let (X, 5 : X —> (,7 &J X) A ) be an 

LTS and x,y el two states. States x and y are failure trace equivalent (,7 7-equivalent) 
if and only if 7f7(x) = 7f7(y), where 

&&{x) = { F 0 aiFia 2 ... a n F n e ^(A) x (A x SAjJf])* \ 

a l a 2 a n 

(Bx 1; ... ,x n eX).x = x 0 —» x x — 1 ■* ... —» x n AF, e FaiZ(5(x;))}. 

We call an element of 7l7(x) a failure trace of x. 4» 

In order to model these two equivalences coalgebraically we will have to apply the gen¬ 
eralised powerset construction, from Figure R~2l not only by adding the output function 
but also by changing the transitions of the LTS. 

In particular, we have to add to transitions of shape x y information regarding the sets 
of actions ready to be triggered by x. In the new LTS we consider transitions of shape 

x y therefore enabling the construction of Moore automata “collecting” states 

that have been reached not only via one-step transitions with the same label, but also 
from processes sharing the same initial behaviour. (Note that F e Fail(<5(x)) whenever 
F c A - J(5(x)).) 

We apply the generalised powerset construction to the decorated LTS: 


X 


0j,5) 


> ^(^(A)) X SPSXT^ 


where 5 is defined by first computing the set I and then appending it to every successor 
of a state by using the strength of powerset: 


5= X — 5 - 
5(x)«a,Z)) 


* &<&$ &>JA) x 

_ / d(x)(a) ifZ = /(5(x)) 
I 0 otherwise. 


> x X) A ^JXT- 9 ^ 


For 7 e {,3?.7, .7,7}, the output function o r/ provides information with respect to the 
actions ready, respectively, failed to be triggered by a state xeXasa first step: 


° 3 i*rW = U(< 5(x))} o^x) = Fail(5(x)). 


We need to show that for x 0 eX, there is a one-to-one correspondence between O x oD 
and 7(x 0 ). Intuitively, for ready trace semantics, for example, each behaviour 

= i z i I Xj}, with w = (a^Zo) ... ( a n ,Z n _ 1 ) e (A x ^(A))* 
and w = a 1 ...a n £A* 
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corresponds to a set of sequences of shape 

Zo a 1 Z 1 a 2 ... Z„_ia n ZJ e J?(x 0 ). 

Given x eX, for J e {S&ST, LPST}, we again represent J^(x) e ^(^(A) x (Ax5* J (A))*) by 
a function 

= {ZCA|x^yAZ = Z(5 (j0)} 
ipf sr (w) = {Z CA|i AZ G Fail(5(y))} 

Showing the equivalence between the coalgebraic and the original definition of ready and 
failure trace semantics consists in proving that 

(V* ex). 0*0 =tf. (4.10) 


4.1.16 Theorem. Let (X, 5: X —» (S? CJ XY L ) be an LTS. Then for all x e X and w e (Ax 

EMM™) = <?*(w). 

Proof. The proof follows by induction on words w e (A x £^ 0J (A))* (similar to the proof 
of Theorem l4.1.3D . □ 

4.1.17 Example. Consider the following two systems: 



Ps p 4 p s p e q 8 ?4 qs qe 


d i d i 

p 7 p s q/ q 8 

Note that they are not ready trace equivalent as, for example, { a}a{c,f}c{e } is a ready 
trace of p 0 but not of q 0 . Moreover, they are not failure trace equivalent as, for example, 
{ b,c,d,e,f}a{a,d,e,f}c{a , b,c,e,f}d{a, b,c,d,e,f} is a failure trace of p 0 but not of q 0 . 

It is easy to check that by taking exactly the generalised powerset construction (starting 
with {po},{q 0 }) without changing the transition function, as in Section 14.1.11 one gets 
two bisimilar Moore automata (for both the case of ready and failure trace equivalence). 
This would indicate that the initial LTS’s are behavioural equivalent (which is not the case 
for ready and failure trace!). 

The change in the transition function generates the automata (with labels in Ax £5^ (A)) in 
Figure 14171 Then, for both semantics studied in this section, the determinisation derives 
the two Moore automata in Figure [4781 
For ready trace semantics it holds that: 

°o = o 0 = {{a}} °!2_ = °i _2 = {jb>c},{c,/}} o 4 = o 5 = {{d}} o 5 = o 4 = {{e}} 

0 3 = 0 6 = Oy = Og = 0 3 = 0 6 = Oy = Og = { 0 }. 

Hence, the systems in Figure [4781 are not bisimilar as, for example, both states {p 4 } and 
{q 4 } can be reached via transitions labelled the same, but they output different sets of 
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Pi 

Ps 

47 

48 


Figure 4.7: Altered transition function before determinisation. 


iPs} 


, , <4{d}> . , . , 

W-> IP71 tel 


^ (bHh,c}> <c {fa,c}> V 

°3 \ / 0 4 


kJ-*{<37} 


4 \ X V' 

- <b,{bc}) (c,{b,c}) - 


<a,{a}> 


<c,{c/}> 




M {Pl,P 2 } ^5* {q 0 } {q l3 q 2 } {q 5 } 


<C,{C,/}) , 


<d.{d}> 


If 

°0 


4\ b 

312 </){c/}> °5 

{Pel > °e 


4 

°8 


> ks} 


V 

°o 


5l2 {fi{c,(Y^ 

{q 6 } ^ °6 


If 

°8 


Figure 4.8: Determinisation starting from {p 0 }, ko}- 


ready actions - namely {{d}} and {{e}}, respectively. Therefore, we conclude that p 0 and 
q 0 are not ready trace equivalent. 

Similarly, for failure trace we have: 

o 0 = o 0 = [bcdef ] o 12 = o 12 = [ adef ] U [ abde ] 

o 4 = o 5 = [abcef] o 5 = o 4 = [abcdf] 

o 3 = o 6 = o 7 = o 8 =o 3 = o 6 = o 7 = o s = [ abcdef ]. 

As before, the automata in Figure |4~8l are not bisimilar as, for example, both {p 4 } and 
{q 4 } are reached via transitions labelled the same, but have different outputs. Therefore 
we conclude that p 0 and q 0 are not failure trace equivalent. 

The purpose of changing the transition labels with sets of ready actions is to collect in a 
Moore state only states of the initial LTS’s that have been reached from “parents” with 
the same one-step (initial) behaviour. Or dually, to distinguish between states that have 
“parents” ready, respectively, failing to trigger different sets of actions. This way one 
avoids the unfortunate situation of encapsulating, for example, the states p 4 ,p 5 , respec¬ 
tively q 4 ,q 5 , fact which eventually would lead to providing a positive answer with respect 
to both ready and failure trace equivalence of p 0 and q 0 . 

In other words, the change in the transition function is needed in order to guarantee that 
whenever two states of an LTS are ready/failure trace equivalent, the (pairwise-taken) 
states determined by the executions of a given trace have the same initial behaviour. 
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4.2 Decorated trace semantics of GPS’s 

In this section we show how the generalised powerset construction for coalgebras / : X —> 
APT(X) for a functor & and a monad T in J2.7D . Section [2731 can be instantiated in order 
to provide coalgebraic modellings of decorated trace semantics for generative probabilis¬ 
tic systems (GPS’s). More explicitly, we show how the determinisation procedure can 
be applied in order to derive coalgebraic representations of ready, (maximal) failure and 
(maximal) trace semantics, equivalent to their standard definitions in ||JS90ll . 

A GPS is similar to an LTS, but each transition is labelled by both an action and a probabil¬ 
ity p. More precisely, the transition dynamics is given by a probabilistic transition function 
p: X xAxX —> [0,1] satisfying 

(VxeX).^M( JC ,“,y)< 1, (4.11) 

aeA 

yeX 

where X is the state space and A is the alphabet of actions. For simplicity, we write 

p a (x,y) in lieu of /x(x,a,y) and we will use the notation x y for p a (x,y) = v. We 
extend p to words w e A*: 

Me(x>y)=j„ , y Mmv(x,y)= y] X MwOx^y) 

0 if x / y 4—( 

v J X ex 

Intuitively, p w [x,y ) represents the sum of the probabilities associated with all traces w 
from r toy. Moreover, we write 

MoU, 0) = 1 - ^ p(x, a,y) 

aeA 

yeX 

for the probability of x to terminate, where 0 is a special symbol not in A, called the zero 
action, and 0 is the (deadlock-like) zero process whose only transition is /x 0 (0,0) = 1. 
Similarly to the case of LTS’s, the set of initial actions that can be triggered (with a 
probability greater than 0) from x e X is given by 

I(x) = {aeA| (3y eA)./i a (x,y)>0}, 

whereas failure sets Z e PA 0J A satisfy the condition Z n l(x) = 0. We write Fail(x) to 
represent the set of all failure sets of x. 

The decorated trace semantics for GPS’s considered in this paper can be intuitively de¬ 
scribed as follows. Given two states xjel, we say that x and y are equivalent whenever 
traces weA* 

- lead, with the same probability, x and y to processes that trigger (respectively, fail to 
execute) as a first step the same sets of actions, for the case of ready (respectively, 
failure) semantics. Note that maximal failure semantics takes into consideration 
only the largest sets of failure actions (i.e., A — J(x), A — 7(y)). 

- can be executed with the same probability from both x and y, for the case of trace 
semantics and, moreover, lead x and y to processes that have the same probability 
to terminate, for the case of maximal trace semantics. 
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To model GPS’s, we consider ©^(X) - the (finitely supported sub) probability distribution 
functor defined on Set. maps a set X to 

@co(X) = {<p: X -> [0,1] | supp((f ) is finite and ^ < p(x) < 1}, 

xeX 

where supply) = {x e X \ >0} is the support of (/?. Given a function g: X —» Y, 

@ w (g): -» ® eu 0' _ ) is defined as 

®<XgX<p) = ^y- ¥>(*)• 

g(*)=y 


A GPS is a coalgebra 

(X, 5 :X-(»„(*))*) 

such that 5(x)(a)(y) = p a (x,yf]. 

To each GPS we associate a decorated GPS’s 


(X,(o„5):X-.B.,x(9 (a (X)) A ) 


“parameterised” by Jf, depending on the semantics under consideration. 

Decorated GPS’s can be determinised according to the generalised powerset construction 
as illustrated in Figure [4791 where ^ is B^x (—) A and T is instantiated with the probability 
distribution monad (@ w ,T],p): 


9 a (X) 

. . , f 1 if x = y 

vM — y ■ | 0 otherwise 


p: S 0 (9 0 (X)) -» S a (X) 
p0/0 = ax. Y fWxiK</0 

yesupp(\p) 


Algebras for this monad are the so-called positive convex structures llDob08tl . 

Moreover, for each of the semantics of interest the observations set B^ has to carry 
a ©^-algebra structure, or, equivalently, there has to exist a morphism h 0 such that 
—> Bj) is a ©^-algebra (as introduced in Definition l2.3.21 in Section liOl) . 


The ingredients dj,Bj, and h t/ of Figure 14.91 are explicitly defined in the subsequent sec¬ 
tions for each of the coalgebraic decorated trace semantics. The latter are also proven to 
be equivalent with their corresponding definitions in HJS901 . 


4.2.1 Ready and (maximal) failure semantics 

In this section we provide the detailed coalgebraic modelling of ready and (maximal) 
failure semantics and show the equivalence with their counterparts defined in llJS90ll , as 
follows: 

4.2.1 Definition (Ready equivalence I1JS90II ). The ready function 

S&P '■ X —> ((A* x 0^A) —> [0,1]) 

1 Note that the coalgebraic type directly corresponds to reactive systems liBSdV041 . The embedding of gen¬ 
erative into reactive is injective and poses no problems semantic-wise. In the sequel, when we write “Let 
(X, 5: X -> be a GPS” we implicitly mean a coalgebra of this type originating from a GPS defined by 

a probabilistic function p: X xAxX —* [0,1] as in d4.11l l. 
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-> x X 


0 = 11? O ^(Oj,) 

t(v)(a)(y)= Z 5(x)(a)(y) x y(x) 

XGSUpp(tp) 


n>]0) = °(y) 

WW = Et(^)(a)](w) 


Figure 4.9: The powerset construction for decorated GPS’s. 


is given by 

^ P M((w,/)) = ^ p w (x,y). 
i=Ky) 

We say that x,x' &X are ready equivalent whenever & p (x) = 4? p (x'). A 

4.2.2 Definition (Failure equivalence IIJS90in . The failure function 


& p :X^ ((A* x 5LA) - [0,1]) 

is given by 

^p(^)((vc,Z))= ^ /r w (x,y). 

zn/(y)=0 

We say that rp'eX are failure equivalent whenever ^ p (x) = ^ p (x'). 4» 

4.2.3 Definition (Maximal failure equivalence 1JS90 0. The maximal failure function 
Jt3P p : X —>((A* x ^A) -» [0,1]) is given by 

-^^p(*X(w,Z)) = p w (x,y). 

Z=A-I(y) 

We say that rp'eX are maximal failure equivalent whenever Jl& p (x) = MS ; p (x 1 '). A 

Intuition: ready and (maximal) failure semantics, respectively, identify states which have 
the same probability of reaching processes sharing the same sets of ready actions I, or 
(maximal) sets of failure actions Z, respectively, by executing the same traces w e A*. 
Consequently, appropriate modellings in the coalgebraic setting should capture sets of 
traces w, together with some notion of observations based on execution probabilities of 
such w’s and sets of ready/(maximal) failure actions. 

As a first step we define ffo, the observation set in Figure [4~9l as [0, l]^ A \ for ready, 
failure and maximal failure semantics (for which, for consistency of notation, $ will be 
instantiated with Sfc p , & p and p , respectively). 

The associated “decorating” functions Oj ,: X —> [0, 1 ]XM> are defined for x eX as: 


o* p (*XO = 


if/=/(x) 

otherwise. 


°jr p (*XZ) = 


ifzn/(x) = 0 
otherwise. 
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® p 0000 


1 if Z=A-I{x) 
0 otherwise. 


For the generalised powerset construction for GPS’s, Bj, = [0, is required to carry 

a ©^-algebra structure. This structure is given by the pointwise extension of the free 
algebra structure in [0,1] = © w ( 1): 


h J> {f 3 Xz) = Xi “pC/^x/U)- 

/esupp(ip) 


It is easy to check that, for £ e [M p ,!fP p ,.MfP p \, the output function o = h r/ ° ©^(o^) is 
explicitly defined, for ip e © W (X), as: 

o(<p)(S)= Xi fWxo/(3t)(S). 

XGSUpptlf) 

This enables the modelling of the behaviour of GPS’s in terms of (final) Moore machines 
with state space in (B 0 ) A and observations in B r/ . More explicitly, given a GPS {X, 5), 
the decorated trace behaviour of x e X is represented in the coalgebraic setting by 
EbMH e (Bjt'f* = ([0,lF^r — [0, i] A * x3 ^M, precisely the type of the functions in 
Definitions 14.2. 1114.2.31 This paves the way for reasoning on ready and (maximal) failure 
equivalence by coinduction, in terms of Moore bisimulations. 

4.2.4 Example. Consider, for example, the following GPS’s: 



“Ml 1«W 


t' 




< 1_y] 

w" 


States p' and u' are ready equivalent, as their corresponding ready functions in Defini¬ 
tion [472TT] are equal: 


^p(p'XM) 
&p(p'X a > { Q }) 
& P (p'Xaa,0) 
& P (p')(aa, {a}) 
Mpiu'Xa, {«}) 
@ p (u'Xaa,0) 


0 SZpip’Xe, {a}) = 1 m p (p'Xa,@) = 0 

+ =x + (l-x) = l 

Paa(p', s 0 + Paa(p'> O = X X 1 + (1 - x) X 1 = 1 
0 <% p (u'Xe,0) = 0 « p (u / )(e,{a}) = l 

PaCu'j v 0 = 1 ^p(u')(a,0) = O 3% p (u')(aa, {a}) = 0 

Paa( u ', w ') + p aa (.u',w") = 1 xy + lx(l-y) = l 


Intuitively, Sfc p {p'\£, 0) = 0 states that from p', by executing the empty trace e, the prob¬ 
ability to reach states that cannot further trigger any action is 0. This is indeed the case, 
as p' can always fire a as a first step. Similarly, & p (u'Xa, {a}) = 1 states that the probabil¬ 
ity of performing a from u' and reaching states with the ready set {a} is 1. This because 

u' —^ V and I(v') = {a}. Nevertheless, the aforementioned ready equivalence follows ac¬ 
cording to the hierarchy in the right-hand side of Figure [4711 as p' and if are probabilistic 
bisimilar as well. 
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The same answer with respect to the ready equivalence of p' and u' is obtained by apply¬ 
ing the coalgebraic framework. As illustrated below, the corresponding Moore automata 
derived starting from p' and u', respectively, are bisimilar; they have the same branching 
structure and equal outputs: 


Ti 

-> Tl 

-> ¥>3 

V 

3 


% 

°V2 

°¥>3 


«i 

o„. 


a 


■> «2 
O n , 


> a 3 
On, 


The state spaces of the aforementioned Moore machines consist of the functions: 


Ti 

= t?(pO = {p' -»l, q' 

-» 0, r' -> 0, s' -> 0, t' -» 

3>2 

= ip' 0, q' -» x, r' 

-»1 - x, s' -» 0, t' -> 0} 

Ts 

= {p' -> 0, q' -> 0, r' 

-»0, s'-> 1, 

«1 

= hW) = {i T -> 1, V 

-> 0, w' -» 0, w" -> 0} 

«2 

S 

\—1 

T 

% 

o' 

T 

J3 

II 

0, w" -> 0} 

«3 

£ 

o" 

% 

o" 

T 

3 

II 

-»y, 


The associated observations are: 


= % = ° V2 = °a 2 = (0 0, {a} -» 1), o V3 = o a3 =(0-^1, {a} -» 0.) 

The functions t p 2 , <p 3 , a 2 and a 3 together with their outputs are easily determined based 
on the operations of the corresponding Moore coalgebra (as depicted in Figure [4~9l ). 

The connection between the behaviour, i.e., ready function of p' (respectively, u') and i p t 
(respectively, a;), for i e {1,2,3}, is straightforward. Each of the functions i p 1 , <p 2 and (p 3 
captures the behaviour of the system starting from p', after executing the traces e, a and 
aa, respectively. Note that, for example, the values of the ready function for trace e and 
ready sets 0 and {a}, respectively, are in one to one correspondence with the assignments 
in 0 ^ . Similarly for the case of u'. 

By following the same approach, the coalgebraic machinery provides an “yes” answer with 
respect to (maximal) failure equivalence of p' and u' as well. This is also in agreement 
with the results in ||JS90il stating that ready and (maximal) failure equivalence for GPS’s 
have the same distinguishing power. 4 

The equivalence between the coalgebraic and the original definitions of the decorated 
trace semantics J? e {3t p ,& p ,.M 33 p } in HJS901 consists in showing that, given a GPS 
(X , 5),reI,weA* and S c A, it holds that Ep(x)]](w)(S) = 7(x)(w,S). 

4.2.5 Theorem. Let ( X,5: X —> (©^pf)) 4 ) be a GPS and (@ W (X), (o, t)) be its associated 
determinisation as in Figure \4~9\ Then, for all reX, w & A* and S c A, it holds 

EbM] (»(S) = J(x)(w,S). 

Proof. The proof is similar for all J in {5? p , & p , ^i^ p }, by induction on w e A*. 

- Base case - w = e: |[tj(x)]] (e)(S) = Oj*(x)(S) = J^(x)(e,S). 


- Induction step. Here, we will use the fact that the map into the final coalgebra is 
also an algebra map and the equality 

j*(x)(aw,S) = a (x,y) x ^(x)(w)(S). 

yeY 
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Consider aw e A* and assume Erj(y)]](w)(S) = J^(y)(w,S), for all jel. We want 
to prove that [[^(jc)]] (aw)(S) = ^(xXawXS), for a e A. 

[rjO)]] (aw)(S)= [5(x)(a)]](w)(S) 

= X 5(v)(a)(y) x [[ryfy)] (w)(S) ([[-] is an algebra map) 

yeY 

= 2 5(x)(a)(y) x ^(x)(w)(S) (IH) 

yeY 

= X j) x ^(x)(w)(s) (Ma(x>*0 = 5(jc)(a)(x0) 

yeY 

= J?(i)(aw)(S) □ 

4.2.2 (Maximal) trace semantics 

In this section we provide the coalgebraic modelling of (maximal) trace semantics for 
GPS’s. The approach resembles the one in the previous section: we first recall the afore¬ 
mentioned semantics as introduced in ||JS90j . and then show how to instantiate the in¬ 
gredients of Figure R~9l in order to capture the corresponding behaviours in terms of (fi¬ 
nal) Moore coalgebras. As a last step, we prove the equivalence between the coalgebraic 
modellings and the original definitions in HJS90I • 

4.2.6 Definition ((Maximal) trace equivalence | J S90 I). The trace function 
ST p : X —»(A* —» [0,1]) is given by 

^(x)(w) = X/hv(x,y)- 

yeX 

The maximal trace function Mf ? p : X —»(A* —» [0,1]) is given by 

= n w0 (x, 0). 

We say that x,x' e X are trace equivalent whenever ^ p (x) = ^ p (x'). If MdJ’ p {x) = 
p {x'} holds as well, then we say that x and x' are maximal trace equivalent. 4» 

From the definition above, it can be easily seen at an intuitive level that trace equivalence 
identifies processes that can execute with the same probability the same sets of traces 
weA*. Moreover, maximal trace equivalence takes into consideration the probability of 
not triggering any action after the performance of such w’s. 

Therefore, we choose the set of observations B r/ (where .0 = .5), for trace and & = J14T p 
for maximal trace semantics) to denote probabilities (of processes to execute w e A*, or 
stagnate after triggering such w’s) ranging over [0,1], 

We define the “decorating” functions, for .7 e {3f p , M4T p \, o ?: X —> [0,1] by 

Osr p M = l 0^00 = 1u 0 (x,0) 

The (Moore) output function o is given by, for all e S^Qf), 

o((p)= X V( X ) X °A X )- 

x€supp(ip) 

We can now show the equivalence between the coalgebraic and the original definition of 
(maximal) trace semantics. 
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4.2.7 Theorem. Let ( X,5: X —» (©^(Xiy 1 ) be a GPS and (© W (X), (o, t)) be its associated 
determinisation as in Fixure \4~9\ Then, for all x eX and w eA*: 

[[? 7 (x)](w) = ^(x)(iv). 

Proof. By induction on w £A*. similar to Theorem l4.2.5l □ 

Consider, for instance, the systems p' and u' in Example 14.2.41 They are trace equivalent 
as they both can execute traces e,a and aa with total probability 1. Consequently, they 
are maximal trace equivalent as well: for sequences e and a, their associated maximal 
trace functions compute value 0, whereas for aa the latter return value 1. 

The same answer with respect to (maximal) trace equivalence of p' and u! is obtained 
by reasoning on bisimilarity of their associated determinisations derived according to the 
powerset construction. It is easy to check that in the current setting, the Moore automata 
corresponding to 1 /q and oq in Example 14.2.41 output 

- for the case of trace semantics: 

(Vi e {1,2,3}).Oy,. = o a . = 1; 


- for the case of maximal trace semantics: 

(Vi e {l,2}).o v . =o a . = 0 and =o a ^ = 1. 

Therefore t p 1 and aq are bisimilar. Hence, p' and u' are (maximal) trace equivalent. 


4.3 Decorated trace semantics in a nutshell 

Next we provide a more compact overview on the coalgebraic machinery introduced in 
Section R~T1 and Section [4721 This also in order to emphasise on the generality and unifor¬ 
mity of our coalgebraic framework. 

Recall that for each of the decorated trace semantics we first instantiate the constituents of 
Figure [4~2l (summarising the generalised powerset construction). Moreover, for the case 
of LTS’s, the original definitions of the semantics under consideration are provided with 
equivalent representations in terms of functions <py , paving the way to their interpretation 
in terms of final Moore coalgebras. 

All these are summarised in Figure [47T01 for an arbitrary LTS (X, 5: X —» {ST 0J X) A ) and an 
arbitrary GPS (X, 5: X —> (©^xy 1 ). 

Once the ingredients of Figure |4.2| and, for LTS’s, functions are defined, we formalise 
the equivalence between the coalgebraic modelling of ^-semantics and its original defi¬ 
nition. 

For the case of LTS’s, for J ranging over ST, TiST ,ST ,Sfc,S? ST ,2/lST and STST, we show that 
the following result holds: 

4.3.1 Theorem. Let [X,5 : X —»(^xy 1 ) be an LTS. For all x eX, [[{*}]] = T* — 

Orthogonally, for the case of GPS’s, for J? ranging over 9L v ,SP p ,JlSF p ,ST v and MST p , we 
prove the following: 

4.3.2 Theorem. Let (X, 5: X -»(©^xy 1 ) be a GPS. For all x eX, [rj(x)l] = 










4.4. Canonical representatives 


75 


For each of the semantics under consideration, the proofs of Theorem 14.3.11 and Theo- 
rem !4.3.2l follow by induction on words over the corresponding action alphabet. For more 
details see the proof of Theorem l4.1.3l in Section R.l.ll (for LTS’s) and Theorem l4.2.5l in 
Section l4.2.1l ffor GPS’s), respectively. 

Remark 12 It is worth observing that by instantiating T with the identity functor, 2P with 
3^{— y 1 and, respectively, y 1 in (12.71 . in Section \223\ one gets the coalgebraic modelling 
of the standard notion of bisimilarity for LTS’s and, respectively, GPS’s. 

Concrete examples on how to use the coalgebraic frameworks are provided for each of the 
decorated trace semantics. We show how to derive determinisations of LTS’s and GPS’s 
in terms of Moore automata, which eventually are used to reason on the corresponding 
equivalences in terms of Moore bisimulations. 


J? 

Bj 

: X —* B j, 

St 


o R {x ) = {/(5(x))} 

& 


ojr(x) = Fail{5{x)) 

sr 

2 

o sr (x) = 1 


2 

- f 1 if 7(5(x)) = 0 

j q otherwise 


0»{3?A*) 

Og>seW = {SP{x)} 

St2T 


o msr {x) = U(5(x))} 



o& sr {x) = Fail{5{x)) 

st v 

[ 0 ,i]^M 

~ f vn J 1 ifI = I ( x ) 
°*> W( ' ) = [o othenvise 


[ 0 ,i]^W 

- , ,,,, I 1 ifzn/M = » 

o» i W(z) = | 0 otherwise 


[ 0 ,i]^W 

- , I 1 if Z=A-1M 

= | 0 Mherwise 


[0,1] 

0^{x)= 1 

MS’ v 

[0,1] 

°jmrSx) = p 0 (x,0) 


Figure 4.10: The coalgebraic framework in a nutshell. 


4.4 Canonical representatives 

Given a decorated system ( X , {jo j, 5)), we showed in the previous sections how to construct 
a determinisation (T(X), (o, t}), with T = 2? 0 , for the case of LTS’s, and T = for GPS’s, 
respectively. The map [[—]]: TX —> B A r/ provides us with a canonical representative of the 
behaviour of each state in TX. The image (C, 5') of {TX, {o , t)), via the map [[—]], can be 
viewed as the minimisation with respect to the equivalence . 

Recall that the states of the final Moore coalgebra (B A , (e, (—) a )) are functions tp: A’ —> B ^ 
and that their decorations and transitions are given by the functions e : —> Bj, and 
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(—) a : B A r/ —> (B A *) A , defined in Example 12.2.81 in Section [2721 The states of the canonical 
representative (C, 5') are also functions : A* —> Bj», i.e., C c . Moreover, the function 
5': C —»B j, x C A is simply the restriction of (e, (—) a ) to C, that means = (i/>(e), 

for all p eC. 

Finally, it is interesting to observe that for LTS B^ carries a semilattice structure (inherited 
from B r/ ) and that [[—]]: S? C0 X —»B^| is a semilattice homomorphism. From this observa¬ 
tion, it is immediate to conclude that also C is a semilattice, but it is not necessarily freely 
generated, i.e., it is not necessarily a powerset. Similarly, for GPS B A carries a positive 
convex algebra structure (these are the ©^-algebras) and [[—]]: X 0J X —> B A is a positive 
convex algebra homomorphism. Again, from this observation, we know that also C is a 
positive convex algebra (not necessarily freely generated). 


4.5 Recovering the spectrum 

We will briefly explain how to recover the spectrums from Figure [4~T1 from the coalgebraic 
modelling. First, we recall the following folklore result from coalgebra theory which is the 
key behind building the spectrum. Let Coalg,(,jP) denote the category of all ^-coalgebras 
with a free carrier (arising from a powerset construction) and ^-homomorphisms. That 
is, the objects are of the form T(X) —> , r XT(X). Given two functors & and ‘S, if one can 
construct a functor a : Coalg^(^) —» Coalg|(^) then 

In the current setting, we apply this to the category Coalg, (TP) of all ,^-coalgebras with a 
free carrier (arising from a powerset construction) and J^-homomorphisms. That is, the 
objects are of the form T(X) —» &T(X). 

For all the relations in the spectrum we can indeed define such a. We illustrate here the 
case for failure and complete trace. 

0^00 -^> ^G^CA*)) x ~ (s?jx) {0 '" ,t) > 2 x 

In order to prove that cr is a functor we need to show that it preserves homomorphisms. 
4.5.1 Lemma. Consider f : (X ) —» 5*^(7) such that o& = of. Then = o %sr of. 
Proof. 


Ojf(S) = Ojr o/(S) 

<=> {Z c A | Z n 7(5(s)) = 0,seS} = {ZCA|Zn 7(5(s')) = D,s' e/(S)} 

<=> V seS 3 s /£f( S ) Z n 7(5(s)) = 0 <f=» Z n 7(5(s')) = 0 and vice-versa. 

=> V seS 3 s /gf (S ) 7(5(s)) = 0 <=> 7(5(s')) = 0 and vice-versa. 

<=> VsesUWs)) = 0) = V s ' e/[S )(K5(S0) = 0) 

^^ = °<gg- °/(S) 

Note that this is different from the technique used to recover a hierarchy of probabilistic 
systems in HBSdV04H where injective natural transformations were defined between func¬ 
tor types and then it was shown that bisimilarity was reflected by these transformations. 
Here, the situation is different and, for several different equivalences, we have the same 
functor (e.g., for and SZ). 
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In the case of the probabilistic spectrum similar proofs can be given. We illustrate it for 
the case of probabilistic ready and trace semantics. 


(SU*) 




[o,iF" (A ‘) x »„(*)*) 


(osr v ,t) 


^ [o, i] x ^(xf) 


Again, in order to prove that cr is a functor we need to show that it preserves homomor- 
phisms. 


4.5.2 Lemma. Consider f: @ W (X) —> such that = o x of. Then o^ o/. 

Proof. 


°3? p O) 


°3? p °/0) 


E ¥>(*) = E /OXy), for all / c A 


X eX 

y GY 


i=m 

i = Ky ) 


E E <pO) 

= E 

E /OXy) 

IQA x&X 

IQA 

yeY 

I = I{x ) 


i = i(y) 


E <pO) = E /OXy) 

xeX yey 

05- p ( ( P) = 0^ o /(‘P) 


4.6 Testing semantics 

In this section we show how must and may testing I CH89 . DH841lHen881l can be modelled 
coalgebraically by exploiting the generalised powerset construction in the context of LTS’s 
with internal behaviour. As we shall see, the modelling of may testing is derived based 
the coalgebraic characterisation of trace semantics in Section 14.1.21 in a straightforward 
fashion. The coalgebraic characterisation of must testing follows as an “extension to 
divergence” of failure semantics in Section [4.1.1| 

In our approach we consider LTS’s on an alphabet A+ {t}, where t is a special label 

E /£■ ♦ 

representing internal actions. We write => to represent —> the reflexive and transitive 

T d T*£ZT* W 

closure of —> and, for a e A, by => we denote —» —* . For w e A*, => is defined 

inductively, in the obvious way. 

4.6.1 From traces to may testing 

In this section we show how may testing semantics can be modelled in the coalgebraic 
setting. 

Intuitively, may testing relates processes in terms of the observable traces (consisting of 
actions different from t) they can execute, by ignoring (any number of) occurrences of 
the internal action t. 

Let L(p) represent the set of observable traces associated with a state p of an LTS with 
actions in Au {t}, referred to as the language of p: 

W 

L(p) = {w e (A — MX I (3 p').p => p' }. (4.12) 


In HCH8911 , an alternative characterisation may testing semantics is defined as follows. 
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4.6.1 Definition (May semantics [ CH89 P. Let x and y be two states of an LTS. We 
write x E may y iff L(x) c L(y). We say that x and y are may-equivalent (x ~ may y) iff 
* E may y and y c may x. * 

The connection with trace semantics in Section 14.1.21 is rather obvious: both may and 
trace distinguish processes depending on their languages. Hence, we further provide an 
extension of the coalgebraic modelling of trace semantics to the context of LTS’s with 
internal behaviour, and show it corresponds precisely the may testing as given in Defini¬ 
tion [4A3J 

To begin with, we model LTS’s with internal behaviour as coalgebras (S, t: S —* (^S) A ), 
such that, for x e S and a e A: 

t(x)(a) = {y | x =>y}. (4.13) 

Then, we decorate LTS’s by means of a function o: S —» 2 such that, for all x e S 

o(x) = 1 

and apply the generalised powerset construction as depicted in Figure FO) in Section R~T1 
Similarly to the case of trace semantics, the final Moore coalgebra is 2 A - the set of 
languages over A Therefore, by the definition of the transition function t in ( 14.131) . it 
immediately follows that the behaviour map [[—]] captures precisely the languages of 
states in S. Namely, for all x e S: 


0*0 =£(*). 

Note that 2 /V carries a join semilattice structure, where identity is the empty language 
and join is the union of languages. Consider c the associated preorder. At this point, the 
coalgebraic modelling of may testing semantics is straightforward: 

4.6.2 Theorem. Let x and y be two states of an LTS. Then 

X —may J iff 0*0 E OyD and x ~ may y iff 0x0 = OyO- 


4.6.2 From failures to must testing 

In what follows we provide a coalgebraic handling of must testing semantics [ DH84 , 
iHenBBH . and show the connection between our approach and the framework used for the 
corresponding (alternative) modelling in HCH89H . 

Intuitively, must testing relates processes based on the traces that do not lead to divergent 
states (i.e., states that can engage into infinite internal computations), and a notion of 
non-determinism captured in terms of antichains of corresponding ready actions. By 
exploiting the isomorphism of antichains and downsets introduced in Section [4.1.11 it 
was easy to observe that must testing coincides failure semantics for LTS’s without internal 
behaviour (as formalised in Proposition |4.6.ld1 1ater on in this section). With this intuition 
in mind, we provide an extension of failure semantics to the context of divergent LTS’s and 
show it coincides with must testing semantics. The aforementioned coincidence is proven 
by employing a “lifting” of the isomorphism of downsets and antichains encompassing 
information on both the degree of non-determinism and divergence of processes. 
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We first recall some notations in ICH891 . The acceptance set of x after w is A(x, w) = 
{{a e A | x' —»} | x => x' A x' /*}. Intuitively, it represents the set of actions that can 
be fired after “maximal” executions of w from x, those that cannot be extended by some 
t- labelled transitions. 

The possibility of an LTS to execute T-actions forever is referred to as divergence. We write 
x l whenever x diverges. Dually, the convergence relation x[w for a state x and a word 
w eA* is inductively defined as follows: xj,e iff x does not diverge and x[aw' iff (a) xfc 

a 

and (b) if x => x', then x'Jw'. 

Given two sets B,C e £5^(£5£,(A)), we write B cc C iff for all B, e B, there exists QeC 
such that C, c B,. 

With these ingredients, it is possible to introduce must preorder and equivalence. 

4.6.3 Definition (Must semantics | CH89 |). Let x and y be two states of an LTS. We 

write x ^ mst y iff f° r a ll words w e A*, if xj,w then yj,w and A(y,w) ccA(x,w). We say 
that x and y are must-equivalent (x 

^ ms t y) iff X c mst y and y c mst x. 4 

As an example, consider the LTS’s depicted below. States x 4 , x 5 and y 1 are divergent. All 
the other states diverge for words containing the letter b and converge for words on a*. 
For these words and states x,x lt x 2 ,x 3 and y, the corresponding acceptance sets equal 
{{a, b}}. In particular, note that A(x 2 ,e) is {{a,b}} and not {{b},{a,b}}. It is therefore 
easy to conclude that x,x 1 ,x 2 ,x 3 and y are all must equivalent. 



(4.14) 


Coalgebraic characterisation of must semantics. In what follows we show how must 
testing semantics can be captured in terms of coalgebras. 

In order to proceed, we have to properly tackle internal behaviour and divergence. We 
model LTS’s on A+ {t} in terms of coalgebras (S, t: S —»(1 +^,S) A ), where 1 = {T} is the 
singleton set, and for x e S, 

a _ 

t(x)(a) = T, if x fa t(x)(a) = {y | x => y}, otherwise. (4.15) 


Note that we use x fa as a shorthand for x fas. Intuitively, a state xeS that displays 
divergent behaviour with respect to an action a e A is mapped to T. Otherwise t computes 
the set of states that can be reached from x through a (by possibly performing a finite 
number of t- transitions). 

Similarly to failure equivalence in Section 14.1.11 we decorate the states of the LTS by 
means of a function o: S —»1 4- £5*,(£5*,(A)) defined as follows: 




T 


o(x) = 


Fail(t(x )) 


if x f 
if x 

otherwise. 


(4.16) 
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Note that (S, (o, t)) is an FT -coalgebra for the functor F(S) = (14- ^(^A)) x S A and the 
monad T(S) = 1 + £5®,S. T-algebras are semilattice with bottom and an extra element 
T acting as top (i.e., such that rUT = T for all x). For any set U, l + 5 *,(!/) carries 
a semilattice with bottom and top: bottom is the empty set; top is the element Tel; 
X u Y is defined as the union for arbitrary subsets X,Y e <3*, (If) and as T otherwise. 
Consequently, 1 4-£5£,(5^A) and FT(S) carry a T -algebra structure as well. This enables 
the application of the generalised powerset construction fSection [2.3l) associating to each 
FT -coalgebra (S, (o, t)) the F-coalgebra (1 + S^S, (o®, t*)) defined for all X e 1 + 3^S as 
expected: 



Note that in the above definitions, u is not simply the union of subsets (as it was the case 
for failure), but it is the join operation in 1 4- S^{S^JAA) and 1 + Moreover, 

(14-£5*,S, (o®, t®)) is a Moore machine with output in 1 + and, therefore induces a 

function [[—]]: (1 + £%(S)) —»(1 + ^(^A)^*. The semilattice structure of 1 + £*,(£*, (A)) 
can be easily lifted to (1 +5 £ j ( 5^A)) a *: bottom, top and u are defined pointwise on A*. We 
denote by the preorder on (1 4- 'A,A'-AjA)) a ' induced by this semilattice. 

A result (based on the isomorphism between downsets and antichains) similar to the one 
for failures, in Section [4.1.11 can also be derived in a modular fashion, for the case of 
LTS’s decorated with outputs in 1 4- 5J,(^A). 

As shown in Section 14.1.11 both the set of downsets S>(?A 0J (A)), and the set of antichains 
j4{SA w (A)) carry join-semillatice structures. It is easy to see that the corresponding exten¬ 
sions to 1 4- (—) are join-semilattices with bottom as 0, top as T (which, intuitively, plays 
the role of the greatest element) and u extended as T u C = T for C e 1 4- @(£5 *,(A)), or 
C e 1 4- j^(£%o(A)), respectively. 

The isomorphism 1 4- i: 14- ©(5^(A)) —» 1 4- j^(5^(A)) follows immediately from the 
isomorphism i : @032,, (A)) —* js/(£ 5*,(A)) in (14.4D in Section 14.1.11 by defining 


(1 + 0(T) = T 


(1 + i)(F) = i(F), F/T. 


In the sequel, we will exploit 14- i to define a “more efficient” characterisation of the func¬ 
tion o’: 14-5&(S)—>14- S^ 0J (Aj(A)), also useful to prove the soundness of the coalgebraic 
modelling of must testing semantics (formalised in Theorem |4.6.7D . 

As a first step, observe that the function o: S —»1 4- 5*, (£5*, (A)) can be restricted to o: S —» 
1 4- @(5£,(A)) (since if xf then o(x) is a downset and the union of downsets is a downset, 
otherwise o(x) = T). In analogy with Section [4.1.11 we define o 2 : S —> 1 4- j</(^(A)) 


T 


if x l 


o 2 (x) = min(\J o(x')) if x —* 
{/(t(x))} otherw 


T 


otherwise. 


and o*: 1 4- ^(S) -> 1 4- ^(3L(A)) as 


o\{X) = 


T 

0 

min(o 2 (X 1 )Uo 2 (X 2 )) 


o 2 0) 


if X = {x} with xeS 
if X = T 
if X = 0 
if X = X x UX 2 
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Proposition 14.6.61 states that it is equivalent computing rr or computing of To this aim, 
we need the following lemmas. 

4.6.4 Lemma. (1 + i) o o = o 2 

Proof. If x 4, then o 2 (x) = T = (1 + i) o o(x). If x[ and x then o 2 (x) = {/(t(x))} = 
(1 + i)(Fai?(t(x))) = (1 + i) o o(x). If x| and x then observe that o(x) = |J{Fail(t(x')) | 
x —♦ x / and x' /->} and that 

o 2 (x) = min ^[^J{/(t(x')) | x —> x' and x' . 

We obtain the conclusion by the previous case and by the fact that i is a homomorphism 
of semilattices. □ 

4.6.5 Lemma. (1 + i) ° o® = o 2 

Proof. Follows immediately by Lemma l4~6~4l and the fact that (1 + i) is a homomorphism 
of semilattices. □ 

4.6.6 Proposition. ForallX,Y e^ a (S), o # (X) = o # (Y) i/fo^Qf) = o 2 (7). 

Proof. Follows from Lemma |4.6.5| and the fact that (1 + i) is an isomorphism of semilat¬ 
tices. □ 

Remark 13 Note that the relation cc used for defining c mst : 

B cc C iff (VB i eB).(3C i eC).Q cs i (4.17) 

is the ordering induced by U in 



min[B U C) = C 


iff 

min{B U C) = min{C ) 

(as C e .^(^(A)) 

iff 

(VB,eB).(3QeC).Q cb* 

(by definition of min) 

iff 

B cc C 

(by definition of cc) 


We formalise the coalgebraic modelling of must semantics in the following theorem. 
4.6.7 Theorem. Let x and y be two states of an LTS. Then 

x E ^ y iff [{y}] ^ji [{x}] and x ~ mst y iff [{x}] = [{y}] . 

The morphism o^: 1 + —» 1 + .^/(^(A)) is useful to prove that the preorders 

and E mst coincide. Indeed, the Moore machine (1 + 3^S, (o 2 , t^)) induces the morphism 
l-J 2 : l + ^S^Cl+^C^G^y 1 ’ defined for allX e 1 + ^(S) as 

[[X] 2 (e) = o“(X) IXJ 2 (aw) = It # (X)(a)] 2 (w). 

The isomorphism (1+i): 1 + @(5^(A)) —» 1 + .^/(^(A)) can be extended to the iso¬ 
morphism (1 + i) A *: (1 + ©(^(A)))^* —» (1 + , defined for every function 

f> e (1 + @(^,(A))) A * and word w e A* as 

(l + O A *(0)(w) = (i + l)(0(w)). 

Note that the function [[—]]: 1 + 0^(S) —> (1 + 0^0^(A)) a * can be restricted to [[—]]: 1 + 
^( S )-(1 + ©(^( A ))) a *. 
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4.6.8 Proposition. (1 + iff o [[-] = [[-] 2 

Proof. This can be proved by ordinary induction on words, exploiting Lemma l4.6.5l for 
the base case. □ 

The ordering E ,^ 2 induced by the semilattice structure of (1 + j4(S?ff/ff)ff is given as 
follows: for all </>, i/> e (1 + ■*/(5? J (A))) A *, cp E ^ xp iff for all w e A* 

1. ift£(w) = T then ip(w) = T and 

2. if </>(w) 7^ T then either ip(w) = T or 0(w) cc ip(w). 

Observe that EX] 2 (viO = T iffX lw. Furthermore, wheneverX = {x} and x[w, [[X] 2 (w) = 
A(x,w). As a consequence, the following proposition holds. 

4.6.9 Proposition. 0*}] 2 E ^ 2 Oy}] 2 iffy x 

Proof. Suppose that Ox}] 2 E.^ 2 Oy}] 2 and take one word w e A*. If yj,w, then 
[{j}] 2 (w) / T and also [|x)] 2 (w) / T, that is x],w. This means that I{x}]] 2 (w) cc 
Oy}] 2 (w), that is A(x,w) cc A(y,w). summarising y E mst x. 

Now suppose that y E mst x and take one word w e A*. If I{x}]] 2 (w) = T, then x /lw. 
This implies that also y lw (and thus Oy}] 2 ( w ) = T) because otherwise the hypothesis 
y E ms t x would be violated. If I{x}]| 2 (w) / T, then we have two possibilities: (a) y[w 
or (b) y lw. For (a), we have thatA(x,w) ccA(y,w), that is [|x}] 2 (w)cc [[{y}]] 2 (w). 
For (b), we immediately have that Oy}]] 2 = T. □ 

From the two above propositions, Theorem 14. 6. 71 follows immediately. 

Note that in absence of divergence, the “decorating” function in ( I4.16D and the transition 
function in (I4.15D correspond precisely to o ^ and 5 in Section 14.1.11 for the case of 
failure semantics. Hence, by Theorem 14.6.71 Definition 14. 6.31 and Remark[13] it follows 
immediately that must and failure semantics coincide in the context of LTS’s without 
internal behaviour. 

4.6.10 Proposition. Consider two states x,y of an LTS without internal behaviour. Then 

x E mst y iff ^(y)E^(x) 

x~mstyiff&W = &(y). 


Remark 14 Note that according to the definition of E^, Oy}] —jr EMU iff E{y}] U 
[[{x}]] = Ox}], and since [[—] is a T-homomorphism (namely it preserves bottom, top and 
u), the latter equality holds iff Oy,x}] = Ox}]. Summarising, 

x E m st y iff Iff,y}J = Ox}]. 

Consider, once more, the LTS in (14.14D . The part of the Moore machine (1 + 5^(S), {o\ t*)) 
which is reachable from {x} and {y} is depicted below (the output function o’ maps T to 
T and the other states to {0}). 



(4.18) 
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The relation consisting of dashed lines is a bisimulation proving that [[{*}]] = [[{yD, i- e -> 
that v ~ mst y. 

Our construction is closely related to the one in HCH89H . that transforms LTS’s into (deter¬ 
ministic) acceptance graphs. We further provide more details on the connection between 
the coalgebraic machinery for reasoning on must preorder and the corresponding frame¬ 
work in DCH89H . 

Moore machines and acceptance graphs. As previously introduced in this section, the 
behaviour of an LTS with divergence if = (S, t: S — * (1 + 3 /> 0J S) A ) can be captured in terms 
of a Moore machine 

Jt={\ + &J5, <o#, t«): 1 + 9„S - (1 + x (1 + »JSf) 

derived according to the powerset construction, and that reasoning on must preorder is 
equivalent to reasoning on the preorder on the final Moore coalgebra, as stated in 
Theorem 14. 6. 71 

In I1CH89II must preorder is established in terms of a notion of prebisimulation (c, n 0 >) 
on the so-called “acceptance graphs” generated from such if’s, denoted by ST(if). In¬ 
tuitively, an acceptance graph ST (if) consists of a set of nodes p of shape (Q, b) e 
2? W S x {tt,ff}, where Q is a set of states in S, and b is associated the boolean value tt 
whenever all states in Q converge (written Q|) and ff otherwise. 

Orthogonally to the Moore machines with output in 1 -I- £5*,(5^A), for a node p = (Q,b) in 
ST (if), the information representing the divergence of (states in) Q is given by p. closed (= 
b), and the corresponding (minimised) acceptance set consisting of visible actions that 
can be triggered as a first step from the states in Q is represented by p.acc (defined later on 
in this section). Moreover, (deterministic) transitions in ST(if) are of shape (Q,, b,) -■> 
(■ Q 2 ,b 2 ), where a e A and Q 2 is the set of a-successors of states in Q : , computed with 

a 

respect to =>. 

Based on the resemblance between the aforementioned Moore machines and acceptance 
graphs, we consider worth investigating to what extent these constructions and the cor¬ 
responding “alternative” semantics used for reasoning on must preorder are connected. 
In what follows we recall the formal definition of acceptance graphs as introduced in 
[ CH89 1, show they are isomorphic (up-to divergent behaviours) with the Moore machines 
used for the coalgebraic modelling of must semantics. 

We proceed by first providing the basic ingredients needed for the definition of acceptance 
graphs. 

E 

Consider Q e S^S. The e-closure of a Q is Q e = {p \ q => p A q e Q}. The set of direct 
a-successors of states q e Q is D(Q, a) = {q' \ q —> q' A q e Q}, where a e AU {t}. 

4.6.11 Definition (Acceptance graphs HCH891 ). Consider if an LTS with divergence, 
with state space S and visible actions labelled in A. The corresponding acceptance graph 
ST{d£) = (T,AU {t}, —*) is defined as follows. 

1. T = {(Q,b) eSLSx {tt,ff} |Q = Q £ A (fo = tt => Qi)}. 

2. For p = (Q, b) e T define p.closed = b and 
0 

min({{aeA\q | qeQAq^}) 



if p. closed = ff 
otherwise. 
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(We refer to ( 14. 3D in Section |4. 1.1 1 for the definition of min.) 

3. A transition (Qi.bi) —> T (Q?,b?) is performed exactly when the following hold: 
a / t, D(Q l5 a) e =Q 2 , and =tt A (Q 2 | =>b 2 =tt). 4 

It is worth observing that, according to Definition l4. 6.111 acceptance graphs are deter¬ 
ministic, and moreover, there are no outgoing transitions from divergent states (see (c) 
above). Considering graphs satisfying the latter property comes as a natural consequence 
of the fact that the must preorder considers divergence catastrophic, as can be inferred 
from Definition[4A3J 

Given an LTS with divergence if, and q a state of if, the node in ST(if) corresponding to 
q is ({qF, qfe). Orthogonally, the state corresponding to q in the Moore machine derived 
according to the powerset construction is {q}. 

For an example, consider the following LTS: 



The associated Moore determinisation .M when starting from q, and the corresponding 
acceptance graph ST(if), respectively, are illustrated as follows. 


{qi} => [abc] 

i a 

k2,<l3’<l6}> [a] U [b] 
{q 8 } T {q 5 ,q 9 } 

i) D' {1 

[abc] T [abc] 


ST(if): <{q 1; q 10 },tt)-AO 

> {{£>, c}, {a, c}} 
({q 8 }> tt) (|q 4 ,q 7 },ff) ({q 5 ,q 9 },tt> 

F F F 

0 0 0 


Recall from Section 14.1.1 1 that for the simplicity of notation we write, for example, [abc] 
in order to denote the powerset of {a, b,c}. In ST(if), the notation (Q, b) —> B represents 
a node p = (Q, b) such that p.acc = B and p.closed = b. 

Observe that: both M and ST(if) are deterministic, transitions starting from divergent 
states T in M always produce output T, whereas in ST[d£) divergent nodes p = (Q e ,ff) 
are deadlock-like and, moreover, p.acc = 0. 

Given an LTS if with state space S, the connection between non-divergent nodes Q in 
the corresponding Moore machine ^ = (14- S^S, (o*, F)) and those in the associated 
acceptance graph ST(if) is obvious. Each such Moore state Q corresponds to a node 
p = (Q e ,tt) in the acceptance graph such that p.acc = i(o : (Q)), where i is the isomorphism 
between downsets and antichains defined in Section [4.1.11 

For example, state {q x } in M is in one to one correspondence withp = ({q 4 } = {q 1; q 10 },tt) 
in ST(if), and, moreover: 

i(o B ({qi}))= i(F = {0, {a}, {b}, {c}, {a, b}, {a, c},{b,c}, {a, b,c}}) 

= min[u F . eF {A — F { }) = 0 = p.acc. 

As already hinted, a divergent set of states Q is represented by T in the Moore machine 
derived from an LTS, and it corresponds to a node p = (Q f , ff) in the associated acceptance 
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graph, such that p has no outgoing transitions and p.acc = 0. For this case we refer to the 
states Q = {q 4 , q 7 ] in . 

An important remark is that divergent nodes and their successors in the Moore machines 
can safely be ignored when reasoning onE^. This follows as a consequence of: 

M -ae ir] 

iff (VweA*).[X](w)c|[7](w) rzLicn 

iff (VweA*).YI EX](w)c E7](w)) 

(as if X lw then [[X]] (w) = T, which follows by induction on w eA*) 

for all X, Y el + £5*,S, where S is the state space of the LTS and A is the corresponding 
action alphabet. 

Hence, the corresponding subsequent transitions T <= T j a can be ignored as well, for 
all a e A. 

As a last ingredient in showing the connection between the Moore machine and the ac¬ 
ceptance graph associated with an LTS with divergence, we make the following obser¬ 
vations. Transitions o l <= Q x —?■ Q 2 => o 2 between non-divergent states Q 1 ,Q 2 corre¬ 
spond to transitions p : = (Q*,tt) (Q|,tt) =p 2 such that p t .acc = i(o,), for i e {1,2}. 

Each transition cq <= Q x T i > T with Q, a non-divergent state matches a transition 

Pj = (Q^,tt) p 2 such that p 1 .acc = ifcq), p 2 .closed = ff and p 2 .acc = 0. 

At this point we conclude that, given an LTS with divergence !£, the Moore machine 
derived according to the powerset construction and the corresponding acceptance graph 
ST(if) are isomorphic up-to divergent behaviours. 


4.7 Discussion 

In this chapter, we have proved that the coalgebraic characterisations of decorated trace 
semantics for labelled transition systems and generative probabilistic systems, respec¬ 
tively, are equivalent with the corresponding standard definitions in llvGO 1 al l and IIJS90I . 
More precisely, we have shown that for a state x, the coalgebraic canonical representative 
> given by determinisation and finality, coincides with the classical semantics X(x), 
for J*' ranging over S?, and representing the traces, complete 

traces, ready pairs, failure pairs, possible futures, ready traces and, respectively, failure 
traces of x in a labelled transition system. Similar equivalences have been proven for .7 
ranging over 3Z p , .7}, and representing the ready, failure, maximal failure, 

trace and maximal trace functions for the case of probabilistic systems. 

We also showed that the spectrum of decorated trace semantics can be recovered from 
the coalgebraic modelling. 

Moreover, we provided an extension of trace and failure semantics to the context of la¬ 
belled transition systems with internal behaviour, which further enabled the coalgebraic 
modelling of may and must testing semantics in HCH891I via the generalised powerset 
construction. A similar idea of system determinisation was also applied in HCH8911 . in a 
non-coalgebraic setting where, in the absence of internal actions and divergence, respec¬ 
tively, may testing coincides with trace and must testing coincides with failure semantics, 
respectively. The connection with this work is also studied in this chapter. 
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In addition, we have illustrated how to reason about decorated trace and testing seman¬ 
tics using coinduction, by constructing suitable Moore bisimulations. This is a sound and 
complete proof technique, and represents an important step towards automated reason¬ 
ing, as it opens the way for the use of, for instance, coinductive theorem provers such as 
CIRC llRLobl . 




Chapter 5 

Algorithms for decorated trace and testing semantics 


In Chapter[4]we provided a coalgebraic handling of a suite of semantics for different types 
of systems. These consist of decorated trace semantics for labelled transition systems and 
generative probabilistic systems, and may/must testing semantics for labelled transition 
systems with internal behaviour. In this chapter we focus on deriving algorithms for 
reasoning on failure and must testing, but our considerations hold also for the other 
decorated trace semantics for LTS’s in Chapter[4| and for may testing semantics. 

The problem of automatically checking these notions of behavioural equivalence is usually 
reduced to the problem of checking bisimilarity, as implemented in several tools HCPS93bl 
ICS961ICDLT081 ICGK + 13ll and proposed in HCH89H which introduces a procedure for 
checking testing equivalences. The idea is the following. First, non-deterministic systems, 
represented by labelled transition systems (LTS’s), are transformed into deterministic “ac¬ 
ceptance graphs” with a construction which is reminiscent of the determinisation of non- 
deterministic automata (NDA’s). Then, since bisimilarity in acceptance graphs coincides 
with testing equivalence in the original LTS’s, one checks bisimilarity via the so-called par¬ 
tition refinement algorithm 1 KS83 1 IPT87I1 . Such algorithm, which is the best-known for 
minimising LTS’s with respect to bisimilarity, is analogous to Hopcroft’s minimisation al¬ 
gorithm |Hop71fl for deterministic automata (DA’s) with respect to language equivalence. 
In both, a partition of the state space is iteratively refined until the largest fixed-point is 
reached. In a nutshell, the procedure for checking testing semantics adopted in HCH89H 
is in essence the same as the classical procedure for checking language equivalence of 
non-deterministic automata: first determinise and then compute a largest fixed-point. 
This observation led us to experiment with applying other interesting language equiv¬ 
alence algorithms, not available for bisimilarity, to solve the problem of checking must 
and failure semantics. In order to achieve this, we took a coalgebraic perspective of 
the problem at hand, which allowed us to study the constructions and the semantics 
in a uniform fashion. The abstract coalgebraic framework enabled a unified study of 
different kinds of state based systems: (a) both the determinisation of NDA’s and the 
construction of acceptance graphs in HCH8911 are instances of the generalised powerset 
construction ICH L031 ILen991 ISBBR10H . and (b) the iterations of both the Hopcroft and 
the partition refinement algorithms are in one-to-one correspondence with the so-called 
construction of the terminal sequence HAK95 , IWor05 1. While (b) is well-known in the 
community of coalgebras [AB H + 12llFME05[IKur00UStaLlH . (a) is the key observation of 
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this work, which enabled us to devise other algorithms for must and failure semantics 
(introduced in Section R.l.ll and Section [4.6.21 respectively). 

First, we consider Brzozowski’s algorithm HBrz62H which transforms an NDA into the min¬ 
imal deterministic automaton accepting the same language: the input automaton is re¬ 
versed (by swapping final and initial states and reversing its transitions), determinised, 
reversed and determinised once more. This somewhat intriguing algorithm can be ex¬ 
plained in terms of duality and coalgebras I BBRS1211BPK12 1. In particular, the approach 
in HBBRS12 1 allows us to extend it to Moore machines, which paves the way to adapt 
Brzozowski’s algorithm for checking testing semantics. 

Next, we consider several more efficient algorithms that have been recently introduced in 
a series of papers llACH + 10] 1BP131 i DRlO , WD11R06 I. These algorithms rely on different 
kinds of (bi)simulations up-to, which are proof techniques originally proposed for process 
calculi HMil89l 1MPW921 |San98H . From these algorithms, we choose the one in HBP13H 
(HKC), which can be easily proved correct using coalgebraic techniques. HKC can be easily 
adapted to check must testing, once a coalgebraic characterisation of must equivalence is 
given. 

Comparing the efficiency of these three families of algorithms (partition refinement 
I CH89 1. Brzozowski and bisimulations up-to) is not a trivial task. Both the problems 
of checking language and testing equivalence are PSPACE-complete as shown in HMS73H 
and HKS83II , respectively. However, in both cases, the theoretical complexity appears 
not to be problematic in practice, so that an empirical evaluation is more desirable. 
In llTV05l!Wat9511Wat00fl . experiments have shown that Brzozowski’s algorithm performs 
better than Hopcroft’s one for “high-density” NDA’s, while Hopcroft’s algorithm is more 
efficient for generic NDA’s. Both algorithms appear to be rather inefficient compared to 
those of the new generation llACH + 10l IBP131IDR101IWDHR061 . It is out of the scope of 
this work to present an experimental comparison of the adaptation of these algorithms 
for must equivalence; we confine our results to showing that each approach can be more 
efficient than the others on concrete examples, 
summarising, the main contributions of this chapter are: 

- The adaptation of HKC and Brzozowski’s algorithm for failure and must semantics. 
For the latter, this includes an optimisation which avoids an expensive determinisa- 
tion step. All the observations for failure can be used for various other decorated 
trace semantics, such as ready and ready trace. 

- An interactive appletQ allowing one to experiment with these algorithms. 

- Experiments checking the equivalence of an ideal and a distributed multiway syn¬ 
chronisation protocol RPS961 . 

- At a more conceptual level, the present work also shows that the coalgebraic anal¬ 
ysis of systems yields not only a good mathematical theory of their semantics but 
also a rich playground to devise algorithms. 

Organisation of the chapter. We first recall the word automata, the algorithms we will 
start with, and their coalgebraic description (Sect. 15.11) . We adapt these algorithms to 
failure semantics (Sections 15.2.11 [5.2.31 15.2.41 15.2. 5D . and then to must semantics (Sec¬ 
tions 15.2.21 15.2.3115.2.6115.2.7D for finite machines: although failure semantics can be 
seen as a special case of must semantics, the first generalisation is important for the sake 


'http://perso.ens-lyon.fr/damien.pous/brz 
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of clarity. We finally give examples illustrating the relative behaviour of the various algo¬ 
rithms fSections l5.3H5.4D . before concluding (Section [53]). 


5.1 Language equivalence 

The core of this chapter is about the problem of checking whether two states in a finite 
transition system are behavioural equivalent, for a certain notion of equivalence. More 
explicitly, we will reduce the problem of reasoning on failure and must testing semantics, 
respectively, to the classical problem of checking language equivalence. 

We proceed by first providing a short overview on deterministic automata (DA’s), Moore 
machines and non-deterministic automata (NDA’s), and the problem of recovering lan¬ 
guage semantics of NDA’s, in the coalgebraic setting. 

We recall again that a deterministic automaton over the input alphabet A is a pair (S, (o, t)), 
where S is a set of states and (o, t): S —» 2 x S A is a function with two components: o, the 
output function, determines whether a state x is final (o(x) = 1) or not (o(x) = 0); and 
t, the transition function, returns for each state and each input letter, the next state. 
From any DA, there exists a function [[—]]: S —* 2 /V mapping states to formal languages, 
defined as follows, for all x e S: 

Ex](e) = o(x) Ex] (a • w) = Et(x)(a)] (w) (5.1) 

The language [[*] is called the language accepted by x, and it consists of all words 
w e A* which, if executed from x, lead to a final (or accepting) state. Given an automaton 
(S, (o, t)), the states xjeS are said to be language equivalent iff they accept they same 
language. 

Throughout this chapter, we will use Moore machines which are coalgebras for the functor 
F(S) = B x S A . These are very similar to DA’s, but with outputs in any (fixed) set B. The 
unique F-homomorphism to the final coalgebra E — ] : S —> B A is defined exactly as for 
DA’s by the equations in (15.11) . Note that the behaviours of Moore machines are functions 
ip: A* —» B, rather than subsets of A*. For each behaviour ip e B A , there exists a minimal 
Moore machine realising it. 

A non-deterministic automaton is similar to a DA but the transition function returns a set 
of next-states instead of a single state. Thus, an NDA over the input alphabet A is a pair 
(S, (o, t)), where S is a set of states and (o, t): S —» 2 x (^(S)^. An example is depicted 
below (final states are overlined, labelled edges represent transitions). 



Classically, in order to recover language semantics of NDA, one uses the powerset con¬ 
struction (see Section [231 for a reminder), transforming every NDA (S, (o, t)) into the DA 
(^L(S), <o # , t®)) where : (5*,(S) —» 2 and t®: £5*,(S) —> .^(S) 71 are defined for all X e^(S) 
as 

o“(X) = |_| o(x) ttofa) = |_J t(x)(a ) . 

xeX xeX 

Note that we use u to denote the “Boolean or” in 2, the union of languages in 2 A ' and the 
union of sets in 3? W {S). 
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For instance with the NDA from (15.21) . o^Qx,/}) = 0 u 1 = 1 (i.e., the state {x,y} is final) 
and t # ({x,y})(a) = {y} u {z} = { y,z } (i.e., {x,y} A {y,z}). 

Since {of tf) is a deterministic automaton, we can now apply the language se¬ 
mantics above, yielding a function [[—]]: —> 2 A * mapping sets of states to languages. 

Given two states x and y, we say that they are language equivalent iff E{x}] = Ely}] • 
More generally, for two sets of states X, Y c s, we say that X and Y are language equiva¬ 
lent iff IXJ = HY], 

In order to introduce the algorithms in full generality, it is important to recall here that 
the sets 2, P? L0 (S )'\ 2 x S? 0J (S) A and 2 /V carry a semilattice with bottom structure 

(X,U, 0) and that the functions (o®, tf: SYf{S) —> 2 x 5*,(S) A and [[—]]: 0^(S) —> 2 A * are 
homomorphisms of semilattices with bottom. In the rest of the chapter we will indiscrim¬ 
inately use 0 to denote the element 0 e 2, the empty language in 2 A and the empty set in 
9L(S). 

5.1.1 Language equivalence via bisimulation up-to: HKC 

We recall the algorithm HKC from HBP130 . We first provide a notion of bisimulation on 
sets of states, underlying the notion of progression. Note that this is equivalent to the 
bisimulation introduced in Section [2)2l but more appropriate for the proofs in this chapter. 

5.1.1 Definition (Progression, Bisimulation). Given two relations R,R' c 5^(S)x^(S), 
R progresses to R', denoted R >-» R', if whenever X RY then 

1. o\x) = 0^(7) and 2. for all a e A, t tl (X)(a).R / t^fYlfa). 

A bisimulation is a relation R such that R>* R. 4• 

This definition considers the states, the transitions and the outputs of the determinised 
NDA. For this reason, the bisimulation proof technique is sound and complete for lan¬ 
guage equivalence. 

Consequently, the coinduction proof principle is stated as follows. 

5.1.2 Proposition (Coinduction). For all X,Y e <5»,(S), [[X]] = [[7]] iff there exists a 
bisimulation that relates X and Y. 

For an example, suppose that we want to prove the equivalence of {x} and {u} of the NDA 
in (15.21) . The part of the determinised NDA that is reachable from {x} and {u} is depicted 
below. The relation consisting of dashed and dotted lines is a bisimulation which proves 
that Ox}] = EM]. 

1 I 2 ! 3 (5.3) 

I 1 I __“ 

M {v,w} { u,w } {u,v,w}Q« 

The dashed lines (numbered by 1, 2, 3) form a smaller relation which is not a bisimula¬ 
tion, but a bisimulation up-to congruence: the equivalence of {x,y} and {u,v,w} can be 
immediately deduced from the fact that {x} is related to M an< 3 ly} to fr.w}. In order to 
formally introduce bisimulations up-to congruence, we need to define first the congruence 
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closure c(R) of a relation R c 5^(S) x £5*,(S). This is done inductively, by the following 
rules: 

XRY X c(R) Y X c(R) Y 7 c(R) Z Z x c(R) Y 1 X 2 c(R) 7 2 

Z c(R) 7 Z c(R)Z 7c(B)Z Z c(R) Z Z x UZ 2 c(R) 7 : U 7 2 ( ' 5 ' 4) 

Note that the term “congruence” here is intended with respect to the semilattice structure 
carried by the state space of the determinised automaton. Intuitively, c(R) is the 

smallest equivalence relation containing R and which is closed w.r.t l_l. 

5.1.3 Definition (Bisimulation up-to congruence). A relation R c 0^(S) x 3^(S) is a 
bisimulation up-to c if R >-» c(R), i.e., whenever Z R Y then 

1. o*(Z) = o^(7) and 2. for all a e A, t^fZXa) c(R) t tt (7)(a). 4» 

5.1.4 Theorem (1 BP13 I). Any bisimulation up-to c is contained in a bisimulation. 

Figure [5J] shows the corresponding algorithm, parametric on o’, t : , and c. Starting from 
an NDA (S, (o, t)) and considering the determinised automaton (S, (o*, t 1 *)), it can be used 
to check language equivalence of two sets of states Z and 7. Starting from the pair 
(Z,7), the algorithm builds a relation R that, in case of success, is a bisimulation up-to 
congruence. In order to do that, it employs the set todo which, intuitively, at any step of 
the execution, contains the pairs (Z', Y') that must be checked: if (X 1 , Y') already belongs 
to c(R U todo), then it does not need to be checked. Otherwise, the algorithm checks if 
X' and Y' have the same outputs. If o\x') / o^(Y') thenZ and 7 are different, otherwise 
the algorithm inserts (X', Y') in R and, for all a e A, the pairs (tXz'Xa), t\Y')(a)) in todo. 
The check {X', Y') e c(RU todo) at step 2.2 is done with the rewriting algorithm of HBP13 , 
Section 3.4]. 

5.1.5 Proposition. For allX,Y e3^(S), [Z] = [[7] iff HKC(Z, 7). 

The iterations corresponding to the execution of HKC({x}, {u}) on the NDA in (15.2D are 
concisely described by the numbered dashed lines in (15. 3D . Observe that only a small 
portion of the determinised automaton is explored; this fact usually makes HKC more effi¬ 
cient than the algorithms based on minimisation, that need to build the whole reachable 
part of the determinised automaton. 

5.1.2 Language equivalence via Brzozowski’s algorithm 

The problem of checking language equivalence of two sets of states Z and 7 of a non- 
deterministic finite automaton can be reduced to that of building the minimal DA for 
[[Z]] and [[7]] and checking whether they are the same (up to isomorphism). The most 
well-known procedure consists in first determinising the NDA and then minimising it 
with Hopcroft’s algorithm [ |Hop71| ]. Another interesting solution is Brzozowski’s algo¬ 
rithm DBrz62D . 

To explain the latter, it is convenient to consider a set of initial states I. Given an NDA 
(S, (o, t)) and a set of states I, Brzozowski’s algorithm computes the minimal automaton 
for the language [[/]] by performing the 4 steps in Figure I5TD 

The operation “reverse and determinise” takes as input an NDA (S, (o, t)) and returns a DA 
(5?j(S), {or,~ t R )) where the functions o R : 2?ffS) —» 2 and ~t R : S?ffS) —» are defined 

for allZ e S?ffS) as 


o R (X) = 1 iffzn / /O 


tffX) (a) = {ieS| t(x)(a) HZ / 0} 
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HKC (X,Y) : 

(1) R is empty; todo is 

(2) while todo is not empty, do 

(2.1) extract from todo; 

(2.2) if (X', Y') e c(RU todo) then continue; 

(2.3) if o^QC) / o\Y') then return false; 

(2.4) for all aeA, insert (t**(X / )(a), t®(F / )(a)) in todo; 

(2.5) insert (X', Y') in R; 

(3) return true; 

Brzozowski : 

(1) reverse and determinise; 

(2) take the reachable part; 

(3) reverse and determinise; 

(4) take the reachable part. 

Figure 5.1: Generic HKC algorithm, parametric on o’, t : and c. Generic Brzozowski’s al¬ 
gorithm, parametric on reverse and determinise. Instantiation to language/failure/must 
equivalence. 


and the new initial state is the old set of final states: 1 R = {x | o(x) = 1}. The second step 
consists in taking the part of (d R ,T R )) which is reachable from 7 R . The third and 

the fourth steps perform this procedure once more. 

As an example, consider the NDA in (15.21) with the set of initial states I = {x}. Brzo¬ 
zowski’s algorithm builds the minimal DA accepting [[{x}]] as follows. After the first two 
steps, it returns the following DA where the initial state is {y}. 

After steps 3 and 4, it returns the DA below with initial state {{ x,z}{x,y,z }}. 
{{x,z}{x,y,z}} —— >■ {{y}{z,y}{x,y,z}} 

{{x,z}{z,y}{x,y,z}} {{y}{x,z}{z,y}{x,y,z}}^^) a 

Computing the minimal NDA in (15.21) with the set of initial states I = {u} results in an 
isomorphic automaton, showing the equivalence of x and u. 


5.2 Algorithms for failure and must testing semantics 

In this section we show how the algorithms HKC and Brzozowski can be adapted for rea¬ 
soning on failure and must testing semantics. Next we briefly summarise the coalgebraic 
modelling of these semantics via the generalised powerset construction, as introduced in 
Chapter [4j 
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An LTS over the alphabets is a pair (S, t) with t: S —» ^(S} 4 . For a function e ^(SX, 
/(ip) denotes the set of all labels “enabled” by ip, given by /(</>) = {a e A [ i/?(a) 7^ 0}, while 
Fad(i/>) denotes the set {Z c A | Z n I (ip) = 0}. A failure pair of a state reSisa pair 
(w, Z) eA*x 3Z,(A) such that x y and Z e Fail(t(y)f The set of failure pairs of x is 
denoted by ^(x). Given two states xjeS, x is failure equivalent to y (x ~j? y) if and 
only if J-(x) = &(y). 

In short, the coalgebraic modelling of failure semantics in Section [4.1.1| is as follows. First, 
the states of an LTS (S, t) are decorated by means of the output function o: S —> Sff3P 0J (A)) 
defined as 

o(x) = Fail(t(x)f (5.5) 

Then, the decorated LTS (S, (o, t)) is translated, using the generalised powerset construc¬ 
tion from Section [231 into a Moore machine (3Z,(S), (of t®)) with o®: £5*,(S) —» 3Z,(^L(A)) 
and t®: 3Z,(S) —» defined for all X e 3Z,(S) as 

o # (X) = U o(x) t»(X)(a) = □ t(x)(a) (5.6) 

xeX xeX 

where, in the left equation, u denotes the union of subsets in 0^(0^(A)). Note that 
(%(S),(o#,t#)) is a Moore machine with outputs in 3Z,(^Z,(A))- The map into the fi¬ 
nal Moore coalgebra [[—]]: SPf (S) —>(^(^(A)))^ associates to a set of states their “be¬ 
haviours”. The latter are in one-to-one correspondence with failure pairs. More explicitly, 
for all x e S, Z e 3Z,(^L(A)) and weA*: 


Z e 0x0 (w) iff (w, Z) e J^(x). 


(5.7) 


Hence, 


x~,yiffOxO = OyO. 


(5.8) 


The trace-based characterisation of must testing in [|CH89[| leads to a similar coalgebraic 
representation via the generalised powerset construction. In Section |4. 6.2| we modelled 
LTS’s with internal behaviour and divergence as coalgebras (S, t: S —> (1 + FA oj (S)) a ) such 
that, for all x e S and a e A 


a 

t(x)(a) = T, if x fa t(x)(a) = {y | x => y], otherwise. 


(5.9) 


Recall that => denotes the execution of an action a e A, possibly preceded or followed by 
(any number of) internal steps t, J, is the convergence predicate, and 1 = {T} is used to 
coalgebraically “capture” divergent behaviours. 

Then, we decorate such LTS’s by means of a function o: S —> 1 + Ff, (byA) such that, for 
all x e S and a e A 




T 


o(x) = 


’ U x ^ o O') 

FaiZ(t(x)) 


if x i 
if x ^ 
otherwise. 


(5.10) 


Finally, we apply the generalised powerset construction and derive a Moore machine 
(1 + 3Z,(S), (o®, t®)) defined for all x e 1 + 3^(S) and a e A as 


o»(X) 


T if X = T , | T if X = T 

U xeX o(x) ifxea&CS) C CXXa) - lUxex^xXa) ifXe3Z.CS) 


(5.11) 
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The state space ( l + ?A (jJ (?7' 0j (A)) a of the final Moore coalgebra carries the structure of a join 
semilattice with top, inducing a partial order tz J{ . This, together with the behaviour map 
[[—]]: 1 + £5£,(S) —»(1 + further enabled formalising must testing preorder and 

equivalence, respectively, as follows: 


* E mst y iff EM] EM] 
x~ms t y iff EM] = EMI- 


5.2.1 HKC for failure semantics 

The algorithm HKC in Figure 15.11 can be used to check failure equivalence on an LTS 
(S, t) by taking o : and t : as defined in (15.61) . Then, the congruence closure c is defined 
as for language equivalence in (I5.4D . The analogue of Proposition 15.1.51 can be proved 
in exactly the same way (check Section 15.2. 3D : in particular, soundness of bisimulation 
up-to-congruence is guaranteed from the fact that (5^(S), (o’, (’}) is a bialgebra. 

We provide an example of using bisimulation up-to congruence for reasoning on failure 
semantics. Consider the following systems, where n is an arbitrary natural number: 


a,b 

a,b 

a,b 

a,b Q 

b b 

b o 

Q><\ 

—> v 2 - > . . . 

h \ 

- >V n 

T \ 

X ^A ) a 

{y 

\ ) 


— — y u 2 — . . . 

a z a 

-^ U n 

U 

U 

U 

a,b 

a,b 

a,b 


a,b 


Q 


It is easy to see that x and y are bisimilar: intuitively, all the states of the automata 
depicted above can trigger actions a and b as a first step and, moreover, all their sub¬ 
sequent transitions lead to states with the same behaviour. Therefore x and y are also 
^"-equivalent, according to van Glabbeek’s lattice of semantic equivalences [ vGOlall (par¬ 
tially) illustrated in Figure [47X1 in Chapter |4j 

The coalgebraic machinery provides a “yes” answer with respect to 
^"-equivalence of the two LTS’s as well. After determinisation, M can reach all states 
of shape: MuH;, {x}u v f , {x}Uu f U v ; , for ie{l,...,n} and {xjUUj Ujv-J, {x}u v ; ujuj}, 
respectively, for j e {2,(We write, for example, H, in order to represent the set 
, u 2j • • •, tq}.) 

Consequently, the generalised powerset construction associates to x a Moore automaton 
consisting of 5n — 1 states, whereas the determinisation of y has only one state. Hence, 
the (Moore) bisimulation relation R including (M, {y}) consists of 5n —1 pairs as follows: 

R = KM,M)}u 

KMUUi U {vj}, {y}), Qx} U V; U {iiiLJyDI ie{2,...,n}}U (5.13) 

{({x } uilj,{y}), ({x}UV;,{y}), ({xjUu, Uv ; ,{y}) | i e {l,...,n}}. 


For a better intuition, we illustrate bellow the determinisations starting from x and y, for 
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the case n = 3: 



It is easy to see that the bisimulation relating {x} and [y} consists of all pairs (X, {y}), 
with X ranging over the state space of the Moore automaton derived according to the 
generalised powerset construction, starting with {x}. 

Observe that all the pairs in R in (15.131) can be “generated” from ({x}, {y}), ({x} u u h {y}) 
and ({x} U v,, {y}) by iteratively applying the rules in (15.4D . Therefore, for an arbitrary 
natural number n, the bisimulation up-to congruence stating the equivalence of x and y 
is: 



and consists of only 2n + 1 pairs. The latter represent exactly the states explored by HKC. 


5.2.2 HKC for must semantics 

The coalgebraic characterisation of must testing guarantees soundness and completeness 
of bisimulation up-to congruence for the associated equivalence. Bisimulations are now 
relations RC(i + x (1 + on the state space 1 + £5*,(S) where o ^ and t® are 

defined as in (15.111) . Now, the congruence closure c(R) of a relation R c (1 +^,(S)) x (1 + 
giPj (S)) is defined by the rules in ( I5.4D where u is the join in (1 + £5*,(S)) (rather than the 
union in ^,(S)). By simply redefining cd, t 11 and c(R), the algorithm in Figure [5TTI can be 
used to check must equivalence and preorder (the detailed proof is in Section l5.2.3D . 
Consider, for an example, the LTS’s in Section [4.6.21 


u 



(5.14) 


b 


In Section 14.6.21 we showed that the states x and y are must equivalent, by identifying 
a bisimulation relating {x} and {y}. This time however, we depict by the dashed lines 
in (15.151) the relation R = {({x}, {y}), ({x 1 ,x 2 ,x 3 }, {y})} which is not a bisimulation, but a 
bisimulation up-to congruence, since both (T, T) e c(R) and ({x,x 1 },{y}) e c(R ). For the 
latter, observe that 


{x,Xj } c(R) {y,Xj} c(R) {x 1 ,x 2 ,x 3 j c(R ) {y }. 
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It is important to remark here that HKC computes this relation without the need of explor¬ 
ing all the reachable part of the Moore machine (1 + £3*,(S), (o®, t®)). So, amongst all the 
states in (15.15D . HKC only explores {x}, {y} and {x 1; X 2 ,x 3 }. 

5.2.3 Correctness of HKC 

We provide a uniform proof of correctness of HKC in Figure [5TT1 for language, failure and 
must semantics (Proposition 15.1.51) . The key step is (the analogue) of Theorem 15.1.41 
stating that bisimulation up-to congruence is a sound proof technique. This holds for any 
bialgebra (see e.g. Corollary 6.6 in HRBR13H ) and, in particular, for (£^(S), (o : , f")) (or 
(1 + 5£,(S), (o\ t^))) which is guaranteed to be a bialgebra by the generalised powerset 
construction (we refer the interested reader to llKlilill for a nice introduction on this 
topic). 

We first observe that if HKC(X, 7) returns true then the relation R that is built before 
arriving to step 3 is a bisimulation up-to congruence. Indeed, the following proposition is 
an invariant for the loop corresponding to step 2: 

R >-» c(R U todo ) 

This invariant is preserved since at any iteration of the algorithm, a pair (X', 7') is re¬ 
moved from todo and inserted in R after checking that o^(X') = o^(T') and adding 
(t^fXOfa), ^(T'Xa)) for all a e A in todo. Since todo is empty at the end of the loop, 
we eventually have R >-» c(R), i.e., R is a bisimulation up-to congruence. 

We now prove that if HKC(X, 7) returns false, then [[X]] / [[7]]. Note that for all [X', Y') 
inserted in todo, there exists a word w e A* such that, in the determinised NDA, X —> X' 
and 7 Y'. Since o # (X') X o # (70, then Pl(w) = o\x') X o#(7') = [[7] (w). 

5.2.4 Brzozowski’s algorithm for failure semantics 

A variation of Brzozowski’s algorithm for Moore machines is given in IIBBRS12I . We 
could apply such algorithm to the Moore machine (5^(S), (o 1 *, t *)) which is induced by a 
decorated LTS (S, (o, t)), with o defined as in (15.51) . However, we propose a more efficient 
variation that skips the first determinisation from (S, (o, t)) to (5^(S), {o\ t 11 )). 

The novel algorithm consists of the four steps described in Section l5.1.21 where the pro¬ 
cedure “reverse and determinise” is modified as follows: (S, (o, t)) with initial state I is 
transformed into {0 >> CO {0^(A)') S ,o R ,l R ) where 

o R : 

and 

t R : ^03UA)) S - (^(^(A)) 5 ^ 
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are defined for all functions xp e %,i%,(A)) s as 


o*«o=L>(*) 


t R ( xpXa\x)= |_| xp(y) (5.16) 


yet(x)(a) 


and the new initial state is 7 R = o. 

Note that the result of this procedure is a Moore machine. Brzozowski’s algorithm in 
Figure [5~T1 transforms an NDA (S, (o, t)) with initial state I into the minimal DA for [[/]]. 
Analogously, our novel algorithm transforms an LTS into the minimal Moore machine for 
10 - 

Let us illustrate the minimisation procedure by means of an example. Consider the LTS 
(S, t) on the alphabet A = {a, b,c} depicted below. 



o(p) = {0} o(s) = {0} 
o(q) = 5i(A) o(u) = 5i(A) 
o(r) = g?SA) o(v) = 


The function o: S —> 0^(0^(A)) assigning to each state x the set Fail{t(x')') is given on the 
right. Suppose we want to build the minimal Moore machine for the behaviour [[{pO, 
i.e., the set of failure pairs of p: 


^(p) = |(a*,{0}), (a*b,5i(A)), (a*c,^,(A))}. 


By applying our algorithm to the decorated LTS (S, (o, t}), we first obtain the intermediate 
Moore machine on the left below, where a double arrow xp => Z means that the output of 
xp is the set Z. The new initial state is xpj: S —> 3^{3^,A) which, by definition, is the output 
function of the original LTS mapping p,s to {0} and q,r,u and v to (A). The explicit 
definitions of the other functions xp { can be easily computed according to the definition 


of t R (15.161) . 



Observe that dx/.’, ]] is the “reverse” of [[{pO- For instance, triggering a sequence in the 
language denoted by ba* from xp 1 leads to xp 3 with output 0^(A); this is the same output 
we get by executing a*b from p, according to ft (p). Executing “reverse and determinise” 
once more (step 3) and taking the reachable part (step 4), we obtain the minimal Moore 
machine depicted on the right, with initial state oq. 

The correctness of this algorithm is established in Section 15.2.51 it builds on the coalge- 
braic perspective on Brzozowski’s algorithm given in I BBRS121 . 


5.2.5 Correctness of Brzozowski for failure semantics 

The main intuition behind Brzozowski algorithm is that the procedure reverse and 
determinise transforms a system into one having the “reversed” behaviour. Moreover, 
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if the original system is reachable (that is all the states are reachable from the initial state), 
then the resulting system is observable (that is, all the states have different behaviours). 
Therefore, after performing the first two steps of Brzozowski’s algorithm, one obtains a 
system which is reachable and that has a “reversed” behaviour. After the third step, the 
system has the original behaviour and, moreover, it is observable. After the fourth step, it 
is observable and reachable, that is, it is minimal. 

There are two key steps for our proof: (a) showing that the procedure reverse and 
determinise introduced in Section [5.2.41 transforms a decorated LTS into a Moore ma¬ 
chine having “reversed” behaviour; (b) showing that at the third step the algorithm trans¬ 
forms a reachable Moore machine into an observable one. 

Point (b) follows immediately from Section 5 in I BBRS12H . where a variation of Brzo¬ 
zowski’s algorithm for Moore machines is introduced: when restricted to Moore ma¬ 
chines, the operations of reversing and determinising in the our algorithm coincide with 
those in [ BBRS12 1. 

In the sequel, we prove (a) by relying on I BBRS12 1. Let (S, t) be an LTS with the initial 
set of initial states i: 1 —» £3J,(S) (we prefer to use this functional notation, rather than 
I e £5*,(S), because it is more convenient for the proof). Let (5^(S), {of tf) be the corre¬ 
sponding Moore machine (as defined in (15.61) ) and let [[—]]: £3*,(S) —* (^(^(A))^* be 
the induced semantics map. 

By reversing and determinising as in [BBRS12], we obtain the Moore machine 

m^(A))^ s , <o“4» 


with initial states i R , defined as 

i R = o tt o*((<p) = oi 4(ip)(a)(X)= <p(t # (X)(a)). (5.17) 

According to I BBRS12I . we know that this machine has “reversed” behaviour, i.e, 

(Vw eA*). EqJUfw) = Ei](w R ) (5.18) 


where 

Hi: PMWfJ - 

is the semantic map, and w R denotes the reverse word w inductively defined as e R = e 
and (aw') R = w' R a. 

Our algorithm performs the determinisation and the “reverse and determinise” at once. 
For a Moore machine defined as in (15.161 ) the map to the final coalgebra 

H 2 : - C%(&jA))f 


satisfies the following lemma. 

5.2.1 Lemma. Let ip e (0^(0^A)) S and ip e (^(^A)) 3 " 5 be such that, for all X e SPfS 

<P(X) = Li xeX \p(x). (*) 


Then, lipj 2 = Mi- 
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Proof. The proof is by induction on w e A*. For the base case, w = e, we have: 

M 2 (e) = OrW = LJ - </>(0 = 0 i R (ip') = [</>] ife) 

xei 

For the inductive step, consider w e A* and assume that [i/^Cw) = [y’Jjfw) holds for 
all if), ip satisfying (*). 

We want to prove that [i/>]] 2 (aw) = E<p]li( aw ) holds for a e A. We first define fp a {X) = 
</?(t®(X)(a)) and ip a (x) = LIyet(xXa)' ! Ky)> where X e £5*,S and x e S (which, as an intuition, 
will further be used when applying the induction hypothesis in our proof). 

Note that (*) is satisfied by 5p a and %p a : 1p a (X) = [J i/> a (x), because 

xeX 


t F a (^) = ‘F(t tl (^)(a)) = l F(lJ t(^)(a))t- [J |_| ^(j) = [ _\tp a W- 

x&X xeX yet(x)(a) xeX 

At this point it is easy to see that [[ 1 /)]] 2 (aw) = [</?]] jfaw): 

[</?]] i{aw) = [AX. y>(r tl (X)(a))]] x (w) (by definition of t R ) 

= lAX.^aWLCw) 

= [Ax.i/> a (x)]] 2 (w) (by the induction hypothesis) 

= [Ax. U yetMW T/)(y)] 2 (w) 

= [tj?C</0O)]] 2 O) = M 2 ( a w). □ 

In particular, if we take ip =1 R and <p = o®, we have that [I R ]] 2 = [o®]] j. By (15.181) and 
the fact that and i R = o’ the following holds: 

(Vw eA*). [o^jCw) = [i](w R ). 

summarising, for all w e A*, (E^rII 2 C w ) = [i]] (w R ). 

For an example of this fact, observe that p and ip 1 in Section [5.2.41 have reversed be¬ 
haviours. 

5.2.6 Brzozowski’s algorithm for must semantics 

The Brzozowski algorithm introduced in Section [5.2.4l for failure equivalence can be used 
also for checking ~ mst and c k[ . Now, the procedure “reverse and determinise” returns 
the Moore machine ((1 + 5? J (5(l,(A))) s ,o i? ,'F R ). The initial state 1 R , the outputs 

or : (1 + %(0»jAm s - 1 + 


and the transitions 


t R : (1 + ^(^(A))) s - ((1 + %C%(A))) S ) A 
are defined as in (15.161) . plus the case 


t R (.ipXaXx) = T if t(x)(a) = T, 
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by replacing o and t with those defined in (15.101) and ( 15.9D . and by considering the join 
operation u in 1 + £5*,(5^(A)) (rather than in £5*, (£5*, (A))). 

In what follows, we illustrate Brzozowski’s algorithm for must testing, by means of an 
example. Consider the divergent LTS (S, t) below: 



*2 


and o: S —* 1 + 0^(0^(A)) the decoration function 


o(Xj) 

= o(x 2 ) 

o(x 3 ) 

= {a} 

o(x 4 ) 

= {0} 

o(x 5 ) 

= T. 


Assume we want to build the minimal Moore machine for the behaviour of x l3 which is 
must testing equivalent with x 2 . By applying our algorithm to the decorated LTS (S, (o, t)) 
we obtain the following intermediate Moore machine: 


{0, {£>}} {0, {a}, {£>}} 0 



Observe that [[r/q]] is the “reverse” of [[{x-J]]. F° r instance, each sequence w in the lan¬ 
guage denoted by ha* determines, when triggered from i p 1 , the output 0, which coincides 
with the (empty) set of actions that the automaton can fail to execute after performing 
w. Finally, we execute reverse and determinise and get the following minimal Moore 
automaton (with initial state oq): 


{0, {b}} {0, {a}, {£>}} 0 



0 T 


Remark that the behaviours of the must equivalent states Xj and x 2 have been “collapsed” 
into oq. 
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5.2.7 Correctness of Brzozowski’s algorithm for must semantics 

In this section we show the correctness of Brzozowski’s algorithm for must equivalence. 
The approach is similar to the one described in Section l5.2.51 the slight differences which 
are consequences of the divergence-sensitive nature of must semantics are summarised 
as follows. 

Consider an LTS with divergence (S, t: S —»(1 +S? 0J S) A ), with the initial set of initial states 
i: 1 — » S? l0 {S). As recalled in the beginning of this chapter, the corresponding coalgebraic 
ingredients are extended to 1 + £%(—) Csee 15.1 ll) : the associated Moore machine has the 
state space in 1 + S? 0J S and observations in 1 + 15 ?,, whereas the induced semantic 

map becomes [[—]]: 1 + £5®j(S) —»(1 + £5^(5^ (A))} 4 *. Consequently, the current approach 
considers the join operation u in rather than in as for failure semantics. 

By reversing and determinising as in 1 BBRS12 1. we obtain the Moore machine 

= ((i+<(44» 

for which the initial set of states i R , o' R and t R are defined as in (15.171) , in Section l5.2.51 
Equivalently to the statement in (15.181) . this machine has the “reversed” behaviour of the 
initial LTS. 

The novel algorithm performing the determinisation and the “reverse and determinise” at 
once returns, for the case of must semantics, the Moore machine 

= ((1 + S?J&JA))) s ,5 r , 1 r ) 

for which the corresponding initial state 1 R , the outputs o R : (1 + ^(5^(A))) S —> 1 + 
^L(^L(A)) and the transitions : (1 + 5*,(5*j(A))) s —> ((1 + ^(^(A))/) 4 are defined 
as in (15.161) (plus the case = T if t(x)(a) = T), by replacing o and t with 

those defined in (15.101) and ( I5.9D . in the beginning of this chapter. 

The fact that ,M R has the reverse behaviour of the original LTS follows according to 
a statement similar to the one in Lemma 15.2.11 by taking [[—]] 2 : (1 + 5^(^(A))) S —* 
(1 + ^ j (^j(A))) a *, xp = J r and ip = (satisfying (*)), and the fact that M R has reversed 
behaviour: 

(Vw eA’). Ii R ]i(w) = |[i]](w R ). 

To conclude, the soundness of our algorithm follows by: 

(Vw 6 A*).|[I k ] 2 (w) = [[i](w iJ ). 


5.3 Three families of examples 

As discussed in the beginning of this chapter, the theoretical complexity is not informative 
about the behaviour of these algorithms on concrete cases. In this section, we compare 
HKC, Brzozowski and partition refinement I1CH8911 on three families of examples. First, 
we need some tools to measure their behaviours. For HKC, we take |R|, the size of the 
produced relation R: indeed cycle 2 of HKC is repeated at most 1 + |A|-|R| times (where |A| 
is the size of the alphabet). For (Cl 1891 . we consider the size n of the reachable part of 
determinised system: the main loop of the partition refinement is iterated at most n times. 
Finally, the cost of Brzozowski algorithm is related to the size of both the intermediate 
Moore machine (built after steps 1,2) and the minimal one (built after steps 3,4). 
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First consider the following LTS, where n is an arbitrary natural number. After the deter- 
minisation, {x} can reach all the states of the shape {x} UX N , where X N = {x ; i e N[ 
for any N c {1,..., n}. More precisely, a trace w s {a, b}* of length k which leads {x} to 
{x}UX N can be generally defined as a word whose k — i + l’st letter is b if and only if is N. 

For instance for n = 2, {x} —> {x}, {x} —> {x,Xj}, {x} {x,x 2 } and {x} —> {x,x l5 x 2 }. All 

those states are distinguished by must testing; for instance, [[{x,xl,x2}]] (a) = {a} while 
[[{x,x2}]] (a) = {0}. Therefore, the minimal Moore machine for [[{x}]] has at least 2 n 
states. 


a,b 



>Xi 


a,b 
- > 


a,b 



a.b 


-+ 


a,b 

— >y n 



T 


T 


One can prove that x and y are must equivalent by showing that relation R = 

{({*}, {y}), ({*}, {y,z}l (T, T)} U {({x} UX N , {y,z} U Y n ) I N C {1,..., n}} 

is a bisimulation (here Y n = {y ; | i s JV}). Note that R contains 2 n + 3 pairs. 

In order to check [[{x}]] = [[{y}]], HKC builds the following relation, 

R' = {aJc},{y}),({jc},{y,z})}u{C{x,x 4 }, {y,z,y t \) \ i e {l,...,n}} 

which is a bisimulation up-to and which contains only n + 2 pairs. It is worth to observe 
that R' is like a “basis” of R: all the pairs (X,Y) s R can be generated by those in R' by 
iteratively applying the rules in (15.41 ). Therefore, HKC proves H{x}D = [[{y}J in polynomial 
time, while minimisation-based algorithms (such as [ CH89 1 or Brzozowski’s algorithm) 
require exponential time. 

For the following family of LTS’s, the algorithm from [ CH89 1 is efficient (the LTS is already 
deterministic) while Brzozowski’s algorithm is not: the intermediate Moore machine built 
after steps 1,2 has exponentially many states (for similar reasons as in the previous 
example, the automaton being reversed first). 

a,b a,b b k~\ 

x it *1 - > X J a,b 


Finally consider the family of LTS’s onA= {a}, consisting in n disjoint cycles of increasing 
lengths. The case n = 5 is depicted on the left below. Suppose that we want to show that 
the superposition of states Xq, ..., xjj is equivalent to u given on the right. 



The states reachable from the set {x’,... x'j} in the determinised system are of the shape 
X k = {xj. modi | i < n}. There are p such sets, where p = lcm[l..n] is the least com¬ 
mon multiple of the first n natural numbers (this number is greater than 2" for n > 8). 
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With 1CH89L one would start by constructing all those sets, and one can show that HKC 
actually produces a relation of size p. Therefore, those two methods need exponentially 
many steps. On the other hand, Brzozowski’s algorithm is extremely efficient on this fam¬ 
ily of examples: the output of any state is always {0}, so that the only reachable state in 
the intermediate Moore machines (built after steps 1 and 2) is the function mapping all 
the states to {0}. Therefore we obtain the minimal realisation immediately. 


5.4 Concrete tests on a synchronisation protocol 

We implemented the presented algorithms (Brzozowski minimisation and HKC) for ready, 
failure, and must semantics. Moreover, we tested our implementation and compared the 
various algorithms, by analyzing some instances of a multiway synchronisation protocol 
(MSP) due to Parrow and Sjodin HPS96H . 

The scenario is the following: there are several clients, denoted by 1,2,..., trying to 
synchronise on communication channels, denoted by a,b.... Each channel comes with 
a fixed subset of clients, all of which must agree to participate for the action to take 
place. For instance, in a configuration denoted by a(l,2), b(l,2,3), with three clients 
and two channels; clients 1 and 2 have to synchronise to perform action a, and the 
three clients have to synchronise to perform action b. Parrow and Sjodin study protocols 
allowing to schedule clients requests, so as to enforce the synchronisation constraints. 
They propose an ideal and centralized scheduler as a specification, and a distributed 
and more realistic scheduler. They prove them equivalent, using a notion of equivalence 
called “cs-equivalence” which entails must-testing equivalence in the considered case. 
Both schedulers are presented as finite LTS. 

We computed those LTS for some small configurations, checked them for must equiv¬ 
alence, and minimised the ideal scheduler with respect to must semantics. For each 
configuration, we give various size indications in Figure I5l2l the first column is the con¬ 
figuration; the second one gives the number of states of the minimal Moore machine; the 
third and fourth column give the number of states of the ideal and distributed schedulers, 
respectively. One can notice that the ideal schedulers are almost minimal, while the dis¬ 
tributed ones are huge, comparatively. The fifth column gives the number of reachable 
states, after determinisation along weak transitions (i.e., the number of states one would 
start with with a partition-refinement algorithm); this number is usually smaller than 
the size of the distributed scheduler since the later contains lots of intermediate states 
that are removed by determinisation. The sixth column gives the size of the intermedi¬ 
ate automaton, after performing half of Brzozowski’s minimisation algorithm; notice that 
this intermediate automaton is usually much smaller than the distributed scheduler, but 
also much larger than the ideal and minimal ones. The last column gives the number 
of pairs required by HKC to prove the equivalence between the ideal and the distributed 
scheduler; it is systematically much less than the size of the determinised automaton. 


5.5 Discussion 

In Chapter [4] we have introduced coalgebraic characterisations of decorated trace and 
must testing semantics by means of the generalised powerset construction [ SBBR10 1. This 
allowed us to adapt proof techniques and algorithms that have been developed for lan- 








104 


Chapter 5. Algorithms for decorated trace and testing semantics 


config. 

min. 

ideal 

distr. 

determ. 

interm. 

HKC 

a(l,2) 

9 

9 

34 

12 

88 

12 

a(l,2,3) 

27 

27 

304 

84 

1110 

82 

a(l,2),b(l) 

15 

18 

6089 

1074 

189 

294 

a(l,2),b(3) 

17 

27 

1057 

303 

436 

225 

a(l,2),b(l,2) 

28 

34 

101532 

18608 

389 

2236 

a(l,2),b(l,3) 

49 

54 

38288 

11024 

2568 

5462 

a(l,2),b(3,4) 

65 

81 

8666 

3230 

7570 

1806 

a(l,2,3),b(l) 

45 

54 

54090 

8644 

2207 

2207 

a(l,2,3),b(4) 

53 

81 

12053 

3330 

5546 

2116 

a(l,2,3),b(l,4) 

- 

162 

259890 

- 

- 

- 

a(l),b(2),c(3) 

9 

27 

5917 

1594 

126 

830 

a(l),b(l),c(2) 

9 

18 

37380 

7984 

66 

2351 

a(l),b(l),c(l) 

9 

11 

149267 

41444 

34 

2685 

a(l,2),b(3),c(4) 

33 

81 

50844 

20526 

2176 

6642 


Figure 5.2: Concrete tests. 


guage equivalence to must semantics. In particular, in this chapter, we showed that 
bisimulations up-to congruence (that were recently introduced in IIBP13II for NDA’s) are 
sound also for must semantics. This fact guarantees the correctness of a generalisation of 
HKC HBP13H for checking must equivalence and preorder and suggests that the antichains- 
based algorithms HACH + 10l IDR101 Will IR0 6I can be adapted in a similar way. We have 
also proposed a variation of Brzozowski’s algorithm llBrz62ll to check must semantics, by 
exploiting the abstract theory in 1BBRS12H . Our contribution is not a simple instantia¬ 
tion of I BBRS 12 1. but developing our algorithm has required some ingenuity to avoid 
the preliminary determinisation that would be needed to directly apply I BBRS 12 1. We 
implemented these algorithms together with an interactive applet available online. 
Beyond must semantics, one can use such algorithms to check the decorated trace equiv¬ 
alences HvGOlall that have been studied in HBBC + 12ll : like failure, these are obtained by 
decorating the states of an LTS with a function o: S —» B. The key of our approach is that 
B needs to be a semi-lattice with bottom (for must, a semi-lattice with bottom and top); 
this is required by the generalised powerset construction so that decorated LTS’s can be 
determinised into Moore machines. 


























Chapter 6 


Future work 


We provide an overview of the possible theoretical and practical further developments of 
the work in this thesis. 

With respect to the contributions on generalised regular expressions modelling non- 
deterministic coalgebras introduced in Chapter[3j we consider: 

Extensions to quantitative coalgebras. In the future, we would like to extend the class 
of systems to include quantitative coalgebras. In flSBBRll l. the approach for handling 
non-deterministic coalgebras was extended to a large class of quantitative systems en¬ 
compassing weighted automata, simple Segala, stratified and Pnueli-Zuck systems, by 
considering a functor type that allows the transitions of systems to take values in a mo¬ 
noid structure of quantitative values. 

The challenge in this respect arises from the fact that computing bisimulation relations in 
a quantitative setting will involve matrix manipulations, hence requiring linear algebra 
techniques of which it is not clear how to implement in CIRC. 

Tool enhancements and complexity studies. To improve usability, building a graphical 
interface for the tool is an obvious next step. The graphical interface should ideally allow 
the specification of expressions by means of systems of equations (which are then solved 
internally) or even by means of an automaton, which would then be translated to an 
expression using Kleene’s theorem. 

We also would like to explore how adding more axioms than ACI to the prover (that is, 
each step of the bisimulation checking is performed modulo more equations) improves 
the performance of the tool. Our experience so far shows that by adding the axioms 
describing the interplay between 0 and the other constructs, i.e. 0 © e = e, the prover 
works significantly faster. 

We have not yet studied complexity bounds for the algorithms presented in this paper. 
We conjecture however that the bounds will be very similar to the already known ones 
for classical regular expressions HKoz061 IWorOB I. 

In connection with the coalgebraic handling of decorated trace, may and must testing 
semantics in Chapter [4] and Chapter[5j we consider: 

Coalgebraic handling of other semantics. In the future, we want to derive a new 
representation of possible-futures semantics. This is motivated by the current drawback 
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of storing for each state of the LTS’s the corresponding set of traces. In this context, it 
might be more appropriate considering the definition of possible-futures semantics given 
in terms of nested bisimulations HHM85H . rather than the set-theoretic one in HvGOlall . 
Moreover, we aim at providing coalgebraic modellings for the remaining semantics of 
the spectrum in HvGOlall . Amongst these, we mention possible-worlds semantics, whose 
path-based characterisation shifts the problem of reasoning on the corresponding equiv¬ 
alence to a setting close to possible-futures semantics. The coalgebraic modelling of 
possible-futures semantics still requires an efficient handling of the traces associated with 
a process, as mentioned above. Orthogonally, the challenge in deriving a straightforward 
modelling of simulation semantics via the generalised powerset construction I SBBR13 I 
originates from the absence of an equivalent trace-based definition. 

We would also like to understand how our approach can be combined with the results 
in HBG0611 to obtain a coinductive approach to denotational (linear-time) semantics of 
different kinds of processes calculi. The work in llBG06ll presents a fully abstract model 
of must testing for CSP by turning the set of processes into a (partial) Moore automaton 
with output on a certain semiring K and input from a set of actions A. The final semantics 
of this automaton is then given as a powerserie in K A . The approach can be easily 
extended to trace equivalence and other calculi, such as CCS, but no other decorated 
trace equivalences are further considered. Our work is similar in spirit of the above as 
we also construct a Moore automaton from a transition system but, in general, we do 
not need a semiring structure, making the entire framework much simpler. For example, 
for the must testing, our Moore automata have outputs in the set 1 + SP^i^oSA)). The 
framework is even simpler for the case of trace semantics, where our Moore automata 
have outputs in the two elements set 2. 

Furthermore, we think it is promising to investigate whether our approach can be ex¬ 
tended to the testing semantics of probabilistic and non-deterministic processes 
RDvGHMllllYL92l Seg961. 


More algorithms. An interesting topic to investigate in the future is adapting the Brzo- 
zowski and HKC algorithms to check fair testing HRV0711 . In HRV07L fair testing is defined 
in terms of the so-called failure trees. While the corresponding coalgebraic modelling can 
be easily derived via the powerset construction, we do not know how to model fair testing 
equivalence and preorder. 

We would also like to study whether Brzozowski and HKC can be adapted and effectively 
applied to reason on decorated trace semantics of generative probabilistic systems. 


Rule formats for compositionality. In the future we consider worth studying to what ex¬ 
tent the modal characterisations of decorated trace semantics in HvGOlal can be exploited 
in order to develop a systematic study of their compositionality for languages defined by 
SOS-like rules [Plo04] satisfying specific formats. 

In this respect, we refer to the work in 0KliO9H . where both the rule formats and decorated 
trace equivalences are “massaged” into a bialgebraic setting, by means of logical distribu¬ 
tive laws defined in terms of notions of syntax and logical formulae. However, applying 
the machinery in ||Kli09ll requires a certain amount of ingenuity for identifying the right 
logical behaviour. Therefore, one of the challenges (also mentioned as pointer to future 
work in [|Kli09ll ) consists in (partially) automating the whole procedure or, at least, in 
gaining more insight on how this could be achieved in a rather algorithmic fashion. 
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Samenvatting (Dutch summary) 


Het bestuderen van de semantiek van reactieve systemen (reactive systems ) is een belan- 
grijke richting binnen de informatica. Reactieve systemen voeren berekeningen uit mid- 
dels interactie met hun omgeving, en zijn over het algemeen samengesteld uit meerdere 
parallelle componenten die simultaan taken uitvoeren en met elkaar communiceren. 
Toepassingen bevinden zich in relatief simpele systemen als rekenmachines en verkoopau- 
tomaten, tot programma’s die mechanische apparaten zoals auto’s, metro’s of ruimte- 
vaartuigen aansturen. Aangezien dit soort systemen veel gebruikt worden, en vaak erg 
complex zijn, is het gebruik van rigoureuze methodes voor specificatie, ontwikkeling, en 
redenatie over het gedrag van deze systemen een grote uitdaging. Een mogelijke aanpak 
om reactieve systemen formeel te beschouwen is het gebruik van een gemeenschappeli- 
jke taal voor de beschrijving van zowel de implementatie als de specificatie. In dit geval 
correspondeert verificatie van de implementatie met betrekking tot de specificatie van 
een reactief systeem met het bewijzen van een vorm van equivalentie/ordening tussen de 
beschrijvingen in de formele taal. 

De doelstelling van dit proefschrift is het benutten van de krachten van een algebraisch- 
coalgebraisch raamwerk voor het modelleren van reactieve systemen en het redeneren 
over verschillende soorten bijbehorende semantieken op een formele wijze. Daarnaast 
richt dit proefschrift zich op het afleiden van een aantal verificatie algoritmes die geschikt 
zijn voor implementatie in geautomatiseerde systemen. 

In Hoofdstuk 3 presenteren wij een beslissingsprocedure voor bisimilariteit van een klasse 
van expressies die oneindige rijen (streams), Mealy automaten, en gelabelde transitie sys¬ 
temen, kan beschrijven. Deze procedure is geimplementeerd in de automatische stelling- 
bewijzer CIRC. Hoofdstuk 4 beschrijft een uniforme coalgebrai'sche aanpak voor een col- 
lectie van semantieken voor transitiesystemen. Hiervoor gebruiken we een uitbreiding 
van de klassieke machtsverzameling constructie. In het bijzonder beschouwen we “deco¬ 
rated trace” equivalences voor gelabelde transitie-, en probabilistische systemen, en (de 
zogenaamde “must” en “may”) “testing”-semantieken voor divergente niet deterministis- 
che systemen. De coalgebrai'sche aanpak stelt ons in staat te redeneren over de eerderge- 
noemde begrippen van gedrag equivalentie/ordening in termen van bisimulaties. Verder 
faciliteert ons raamwerk de constructie van geverifieerde algoritmes die niet aanwezig 
zijn voor bisimulariteit, zoals beschreven in Hoofdstuk 5. In dit hoofdstuk beschrijven 
we een variatie van Brzozowski’s algoritme om eindige automaten te minimaliseren, en 
een optimalisatie van Hopcroft en Karp’s algoritme voor taal semantieken. Beide algo¬ 
ritmes zijn succesvol toegepast voor het redeneren over “decorated trace” en “testing” 
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semantieken. De bijbehorende implementaties kunnen online uitgeprobeerd worden: 
http://perso.ens-lyon.fr/damien.pous/brz/ 



Summary 


One of the research areas of great importance in Computer Science is the study of the 
semantics of concurrent reactive systems. These are systems that compute by interact¬ 
ing with their environment, and typically consist of several parallel components, which 
execute simultaneously and potentially communicate with each other. Examples of such 
systems range from rather simple devices such as calculators and vending machines, to 
programs controlling mechanical devices such as cars, subways or spaceships. In light 
of their widespread deployment and complexity, the application of rigorous methods for 
the specification, design and reasoning on the behaviour of reactive systems has always 
been a great challenge. One possible approach to formally handle reactive systems is 
to use a “common language" for describing both the actual implementations and their 
specifications. When following this technique, verifying whether an implementation and 
its specification describe the same behaviour reduces to proving some notion of equiva¬ 
lence/preorder between their corresponding descriptions over the chosen language. 

The aim of this thesis is to exploit the strengths of a (co) algebraic framework in modelling 
reactive systems and reasoning on several types of associated semantics, in a uniform 
fashion. Moreover, we derive a suite of corresponding verification algorithms suitable for 
implementation in automated tools. 

In Chapter 3 we present a decision procedure for bisimilarity of a class of expressions 
defining systems such as infinite streams, deterministic automata, Mealy machines and 
labelled transition systems. The procedure is implemented in the automatic theorem 
prover CIRC. Chapter 4 provides a uniform coalgebraic handling of a series of semantics 
on transition systems. This is achieved by employing a generalisation of the classical pow- 
erset construction for determinising non-deterministic automata. In particular, we deal 
with decorated trace equivalences for labelled transition systems and probabilistic systems 
and, (the so-called “must” and “may”) testing semantics for divergent non-deterministic 
systems. The coalgebraic approach enabled reasoning on the aforementioned notions of 
behavioural equivalence/preorder in terms of bisimulations. Moreover, our framework 
facilitated the construction of verification algorithms which are not available for bisim¬ 
ilarity, as shown in Chapter 5. There we provide a variation of Brzozowski’s algorithm 
to minimise finite automata and an optimisation of Hopcroft and Karp’s algorithm for 
language semantics. Both algorithms were successfully applied to reason on decorated 
trace and testing semantics. The corresponding implementations can be tested online at: 
http://perso.ens-lyon.fr/damien.pous/brz/. 
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